Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1836244 (CVE-2020-12888) - CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some devices may lead to DoS scenario
Summary: CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some devices ma...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12888
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1820632 1836245 1837291 1837292 1837293 1837294 1837295 1837297 1837298 1837299 1837300 1837301 1837302 1837303 1837304 1837305 1837306 1837307 1837308 1837309 1837310 1837311 1837312 1837313 1837314
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-15 13:13 UTC by Prasad Pandit
Modified: 2021-02-16 20:02 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel, where it allows userspace processes, for example, a guest VM, to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access the read/write devices' MMIO address space when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, crashing the system. This flaw allows a guest user or process to crash the host system resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2020-06-23 17:20:29 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2712 0 None None None 2020-06-23 20:18:39 UTC
Red Hat Product Errata RHBA-2020:2974 0 None None None 2020-07-16 12:28:49 UTC
Red Hat Product Errata RHBA-2020:2975 0 None None None 2020-07-16 12:29:20 UTC
Red Hat Product Errata RHBA-2020:2976 0 None None None 2020-07-16 12:31:50 UTC
Red Hat Product Errata RHBA-2020:3086 0 None None None 2020-07-22 01:04:34 UTC
Red Hat Product Errata RHSA-2020:2664 0 None None None 2020-06-23 12:25:49 UTC
Red Hat Product Errata RHSA-2020:2665 0 None None None 2020-06-23 12:26:14 UTC
Red Hat Product Errata RHSA-2020:2831 0 None None None 2020-07-07 08:27:57 UTC
Red Hat Product Errata RHSA-2020:2832 0 None None None 2020-07-07 08:37:07 UTC
Red Hat Product Errata RHSA-2020:2851 0 None None None 2020-07-07 09:52:19 UTC
Red Hat Product Errata RHSA-2020:2854 0 None None None 2020-07-07 13:19:08 UTC
Red Hat Product Errata RHSA-2020:3010 0 None None None 2020-07-21 11:05:28 UTC
Red Hat Product Errata RHSA-2020:3016 0 None None None 2020-07-21 11:23:35 UTC
Red Hat Product Errata RHSA-2020:3019 0 None None None 2020-07-21 13:41:20 UTC
Red Hat Product Errata RHSA-2020:3041 0 None None None 2020-07-21 14:32:30 UTC
Red Hat Product Errata RHSA-2020:3222 0 None None None 2020-07-29 19:37:28 UTC
Red Hat Product Errata RHSA-2020:3230 0 None None None 2020-07-29 21:40:46 UTC

Description Prasad Pandit 2020-05-15 13:13:38 UTC
Linux kernel allows user space processes (like guest VM) to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access(r/w) devices' MMIO address space, when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, essentially crashing down the system. A guest user/process may use this flaw to crash the host system resulting in DoS scenario.

Upstream patches:
-----------------
  -> https://lore.kernel.org/kvm/158871570274.15589.10563806532874116326.stgit@gimli.home/
  -> https://lore.kernel.org/kvm/158871401328.15589.17598154478222071285.stgit@gimli.home/

Reference:
----------
  -> https://www.openwall.com/lists/oss-security/2020/05/19/6

Comment 1 Prasad Pandit 2020-05-15 13:14:11 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1836245]

Comment 3 RaTasha Tillery-Smith 2020-05-18 15:27:06 UTC
Statement:

This issue does not affect the versions of the kernel package as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
This issue affects the versions of the kernel package as shipped with Red Hat Enterprise Linux 7 and 8. Future kernel updates for Red Hat Enterprise Linux 7 and 8 may address this issue.

Comment 9 errata-xmlrpc 2020-06-23 12:25:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2664 https://access.redhat.com/errata/RHSA-2020:2664

Comment 10 errata-xmlrpc 2020-06-23 12:26:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2665 https://access.redhat.com/errata/RHSA-2020:2665

Comment 11 Product Security DevOps Team 2020-06-23 17:20:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12888

Comment 12 errata-xmlrpc 2020-07-07 08:27:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2020:2831 https://access.redhat.com/errata/RHSA-2020:2831

Comment 13 errata-xmlrpc 2020-07-07 08:37:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:2832 https://access.redhat.com/errata/RHSA-2020:2832

Comment 14 errata-xmlrpc 2020-07-07 09:52:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2851 https://access.redhat.com/errata/RHSA-2020:2851

Comment 15 errata-xmlrpc 2020-07-07 13:19:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2854 https://access.redhat.com/errata/RHSA-2020:2854

Comment 17 errata-xmlrpc 2020-07-21 11:05:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3010 https://access.redhat.com/errata/RHSA-2020:3010

Comment 18 errata-xmlrpc 2020-07-21 11:23:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3016 https://access.redhat.com/errata/RHSA-2020:3016

Comment 19 errata-xmlrpc 2020-07-21 13:41:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3019 https://access.redhat.com/errata/RHSA-2020:3019

Comment 20 errata-xmlrpc 2020-07-21 14:32:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3041 https://access.redhat.com/errata/RHSA-2020:3041

Comment 22 errata-xmlrpc 2020-07-29 19:37:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3222 https://access.redhat.com/errata/RHSA-2020:3222

Comment 23 errata-xmlrpc 2020-07-29 21:40:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3230 https://access.redhat.com/errata/RHSA-2020:3230


Note You need to log in before you can comment on or make changes to this bug.