New Stable-Series Linux Kernels 5.4.3, 5.3.16 and 4.19.89 Fixes KVM Crash Vulnerability
The latest round of Linux kernels fixes a minor problem with KVM which allows anyone using a KVM-enabled virtual machine to to crash the host system. The problem, assigned CVE-2019-19332, was a lack of a out-of-bounds check in KVM_GET_EMULATED_CPUID. Providers of virtual machines should consider upgrading.
written by 林慧 (Wai Lin). published 2019-12-13 - last edited 2019-12-13
The CVE vulnerability database lists CVE-2019-19332 as "reserved" on November 27 2019. It has no details. The kernel commit by Red Hat's Paolo Bonzini which fixes this minor problem is not "reserved". It was submitted to the Linux git tree on December 4th and it is present in kernel versions 5.4.3, 5.3.16 and 4.19.89 which were released today. It simply adds the check
if (*nent >= maxnent) return -E2BIG;
do_cpuid_func function in
arch/x86/kvm/cpuid.c to avoid a crash when
KVM_GET_EMULATED_CPUID is called.
The changelogs for the latest kernel list a dozen or so unrelated fixes for the KVM sub-system. None are particularly interesting. There is one arm64-specific fix from Huaweis Zenghui Yu which is described as addressing "It's possible that two LPIs locate in the same "byte_offset" but target two different vcpus, where their pending status are indicated by two different pending tables. In such a scenario, using last_byte_offset optimization will lead KVM relying on the wrong pending table entry." Huawei's Kunpeng chips are the only really powerful ARM-based server CPUs on the market so it makes sense that Huawei is making an effort to ensure that KVM works smoothly on (their) ARM systems. The American cloud provider Amazon does have a similarly powerful ARM server chip called Graviton 2 but it's only for internal use, you can rent cloud instances using it but you can't buy a server with those chips.
Sadly, the kernel 5.4.3 changelog has no mention of any fixes for the Intel iGPU problems that are present in 5.4-series kernels. Those using Intel iGPUs should stick with 5.3.14+ 5.3-series kernels for now (Intel's
i915 kernel module goes around freeing memory it does not own in 5.3-series kernels <5.3.14). There is a fix for a potential out-of-bounds write problem in the
i810 module used by really ancient Intel iGPUs in all the latest kernels.
There is nothing else really interesting in the changelogs for these kernels apart from the typical list of small bug-fixes in all areas.
The only minor thing which is remotely interesting is a patch titled "tty: vt: keyboard: reject invalid keycodes which is described as "Do not try to handle keycodes that are too big, otherwise we risk doing out-of-bounds writes". It adds the check
if (event_type == EV_KEY && event_code <= KEY_MAX) to
drivers/tty/vt/keyboard.c which raises the obvious question: How many keyboard keys are too many?. The answer is, apparently,
0x2ff or 767 different keys. 767 keys should be enough for anyone.
The source code for the latest kernels is, as always, available from kernel.org.