groeck@, can you please triage for security severity, impact and milestone labels here.

Upstream:
36ae3c0a36b ("KVM: Don't accept obviously wrong gsi values via KVM_IRQFD")
3a8b0677fc6 ("KVM: VMX: Do not BUG() on out-of-bounds guest IRQ")

All chromeos versions are affected.

The bug fixed by 3a8b0677fc6 was only introduced after v3.18 and thus only affects chromeos-4.4 and chromeos-4.12.

Only affects images with CONFIG_KVM enabled, which we currently don't ship. Updating impact and target release accordingly.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1e6d1bba0533ac6464d96b8617765addf13e56c3

commit 1e6d1bba0533ac6464d96b8617765addf13e56c3
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Fri Sep 29 21:35:24 2017

UPSTREAM: KVM: Don't accept obviously wrong gsi values via KVM_IRQFD

We cannot add routes for gsi values >= KVM_MAX_IRQ_ROUTES -- see
kvm_set_irq_routing(). Hence, there is no sense in accepting them
via KVM_IRQFD. Prevent them from entering the system in the first
place.

BUG= chromium:770154 
TEST=Build and run

Change-Id: Idcc9f7606d1238645bbb4fd2def264a9f9f7071f
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 36ae3c0a36b)
Reviewed-on: https://chromium-review.googlesource.com/692736
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/1e6d1bba0533ac6464d96b8617765addf13e56c3/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/1ddce6579c4e3140b470e21d60729dba2737d1be

commit 1ddce6579c4e3140b470e21d60729dba2737d1be
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Fri Sep 29 21:35:25 2017

UPSTREAM: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ

The value of the guest_irq argument to vmx_update_pi_irte() is
ultimately coming from a KVM_IRQFD API call. Do not BUG() in
vmx_update_pi_irte() if the value is out-of bounds. (Especially,
since KVM as a whole seems to hang after that.)

Instead, print a message only once if we find that we don't have a
route for a certain IRQ (which can be out-of-bounds or within the
array).

This fixes CVE-2017-1000252.

Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
BUG= chromium:770154 
TEST=Build and run

Change-Id: I9fad6de4fd0b525519ca64e76610315cf4dd79e9
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 3a8b0677fc6)
Reviewed-on: https://chromium-review.googlesource.com/692737
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/1ddce6579c4e3140b470e21d60729dba2737d1be/arch/x86/kvm/vmx.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8f20da3ee025db9edc7eff37b235baa6531d063a

commit 8f20da3ee025db9edc7eff37b235baa6531d063a
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Sat Sep 30 00:42:51 2017

UPSTREAM: KVM: Don't accept obviously wrong gsi values via KVM_IRQFD

We cannot add routes for gsi values >= KVM_MAX_IRQ_ROUTES -- see
kvm_set_irq_routing(). Hence, there is no sense in accepting them
via KVM_IRQFD. Prevent them from entering the system in the first
place.

BUG= chromium:770154 
TEST=Build and run

Change-Id: Idcc9f7606d1238645bbb4fd2def264a9f9f7071f
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 36ae3c0a36b)
Reviewed-on: https://chromium-review.googlesource.com/692837

[modify] https://crrev.com/8f20da3ee025db9edc7eff37b235baa6531d063a/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d804747ee6cc74a9fa46a730ab92ea59cb8f0422

commit d804747ee6cc74a9fa46a730ab92ea59cb8f0422
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Sat Sep 30 00:42:49 2017

UPSTREAM: KVM: Don't accept obviously wrong gsi values via KVM_IRQFD

We cannot add routes for gsi values >= KVM_MAX_IRQ_ROUTES -- see
kvm_set_irq_routing(). Hence, there is no sense in accepting them
via KVM_IRQFD. Prevent them from entering the system in the first
place.

BUG= chromium:770154 
TEST=Build and run

Change-Id: Idcc9f7606d1238645bbb4fd2def264a9f9f7071f
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 36ae3c0a36b)
Reviewed-on: https://chromium-review.googlesource.com/692835

[modify] https://crrev.com/d804747ee6cc74a9fa46a730ab92ea59cb8f0422/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5a07979c1a8cd0b21e59ef494c712f9279c842e1

commit 5a07979c1a8cd0b21e59ef494c712f9279c842e1
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Sat Sep 30 00:43:00 2017

UPSTREAM: KVM: Don't accept obviously wrong gsi values via KVM_IRQFD

We cannot add routes for gsi values >= KVM_MAX_IRQ_ROUTES -- see
kvm_set_irq_routing(). Hence, there is no sense in accepting them
via KVM_IRQFD. Prevent them from entering the system in the first
place.

BUG= chromium:770154 
TEST=Build and run

Change-Id: Idcc9f7606d1238645bbb4fd2def264a9f9f7071f
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 36ae3c0a36b)
Reviewed-on: https://chromium-review.googlesource.com/692836

[modify] https://crrev.com/5a07979c1a8cd0b21e59ef494c712f9279c842e1/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a4a65f8d9407a7d74893be1e6f4b7bc078052c95

commit a4a65f8d9407a7d74893be1e6f4b7bc078052c95
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Sat Sep 30 00:42:56 2017

UPSTREAM: KVM: Don't accept obviously wrong gsi values via KVM_IRQFD

We cannot add routes for gsi values >= KVM_MAX_IRQ_ROUTES -- see
kvm_set_irq_routing(). Hence, there is no sense in accepting them
via KVM_IRQFD. Prevent them from entering the system in the first
place.

BUG= chromium:770154 
TEST=Build and run

Change-Id: Idcc9f7606d1238645bbb4fd2def264a9f9f7071f
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 36ae3c0a36b)
Reviewed-on: https://chromium-review.googlesource.com/692834

[modify] https://crrev.com/a4a65f8d9407a7d74893be1e6f4b7bc078052c95/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/243b2b4c237df228057d47f880ba2a4609b704c0

commit 243b2b4c237df228057d47f880ba2a4609b704c0
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Tue Oct 03 00:27:19 2017

UPSTREAM: Revert "KVM: Don't accept obviously wrong gsi values via KVM_IRQFD"

This reverts commit 36ae3c0a36b7456432fedce38ae2f7bd3e01a563.

The commit broke compilation on !CONFIG_HAVE_KVM_IRQ_ROUTING. Also,
there may be cases with CONFIG_HAVE_KVM_IRQ_ROUTING, where larger
gsi values make sense.

As the commit was meant as an early indicator to user space that
something is wrong, reverting just restores the previous behavior
where overly large values are ignored when encountered (without
any direct feedback).

BUG= chromium:770154 
TEST=Build and run

Change-Id: I486229ec34839d05a383daf3bc7dc91dcd430b52
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krm <rkrcmar@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 95e2a3b3ef17)
Reviewed-on: https://chromium-review.googlesource.com/695930

[modify] https://crrev.com/243b2b4c237df228057d47f880ba2a4609b704c0/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c5270107379b6f43fbab370e60719b147c04a04a

commit c5270107379b6f43fbab370e60719b147c04a04a
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Tue Oct 03 00:27:22 2017

UPSTREAM: Revert "KVM: Don't accept obviously wrong gsi values via KVM_IRQFD"

This reverts commit 36ae3c0a36b7456432fedce38ae2f7bd3e01a563.

The commit broke compilation on !CONFIG_HAVE_KVM_IRQ_ROUTING. Also,
there may be cases with CONFIG_HAVE_KVM_IRQ_ROUTING, where larger
gsi values make sense.

As the commit was meant as an early indicator to user space that
something is wrong, reverting just restores the previous behavior
where overly large values are ignored when encountered (without
any direct feedback).

BUG= chromium:770154 
TEST=Build and run

Change-Id: I486229ec34839d05a383daf3bc7dc91dcd430b52
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krm <rkrcmar@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 95e2a3b3ef17)
Reviewed-on: https://chromium-review.googlesource.com/695931

[modify] https://crrev.com/c5270107379b6f43fbab370e60719b147c04a04a/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/5bde4cfd72ceddf39eeb4fc7208f7ea70756c30d

commit 5bde4cfd72ceddf39eeb4fc7208f7ea70756c30d
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Tue Oct 03 03:25:47 2017

UPSTREAM: Revert "KVM: Don't accept obviously wrong gsi values via KVM_IRQFD"

This reverts commit 36ae3c0a36b7456432fedce38ae2f7bd3e01a563.

The commit broke compilation on !CONFIG_HAVE_KVM_IRQ_ROUTING. Also,
there may be cases with CONFIG_HAVE_KVM_IRQ_ROUTING, where larger
gsi values make sense.

As the commit was meant as an early indicator to user space that
something is wrong, reverting just restores the previous behavior
where overly large values are ignored when encountered (without
any direct feedback).

BUG= chromium:770154 
TEST=Build and run

Change-Id: I486229ec34839d05a383daf3bc7dc91dcd430b52
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krm <rkrcmar@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 95e2a3b3ef17)
Reviewed-on: https://chromium-review.googlesource.com/695932

[modify] https://crrev.com/5bde4cfd72ceddf39eeb4fc7208f7ea70756c30d/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/199249510c098962d042693fdede49befb43aa8c

commit 199249510c098962d042693fdede49befb43aa8c
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Tue Oct 03 03:25:39 2017

UPSTREAM: Revert "KVM: Don't accept obviously wrong gsi values via KVM_IRQFD"

This reverts commit 36ae3c0a36b7456432fedce38ae2f7bd3e01a563.

The commit broke compilation on !CONFIG_HAVE_KVM_IRQ_ROUTING. Also,
there may be cases with CONFIG_HAVE_KVM_IRQ_ROUTING, where larger
gsi values make sense.

As the commit was meant as an early indicator to user space that
something is wrong, reverting just restores the previous behavior
where overly large values are ignored when encountered (without
any direct feedback).

BUG= chromium:770154 
TEST=Build and run

Change-Id: I486229ec34839d05a383daf3bc7dc91dcd430b52
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krm <rkrcmar@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 95e2a3b3ef17)
Reviewed-on: https://chromium-review.googlesource.com/696025
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/199249510c098962d042693fdede49befb43aa8c/virt/kvm/eventfd.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e8b721e01f5a67489b6a8169c8e66a70f6b0dd07

commit e8b721e01f5a67489b6a8169c8e66a70f6b0dd07
Author: Jan H. Schönherr <jschoenh@amazon.de>
Date: Tue Oct 03 03:25:44 2017

UPSTREAM: Revert "KVM: Don't accept obviously wrong gsi values via KVM_IRQFD"

This reverts commit 36ae3c0a36b7456432fedce38ae2f7bd3e01a563.

The commit broke compilation on !CONFIG_HAVE_KVM_IRQ_ROUTING. Also,
there may be cases with CONFIG_HAVE_KVM_IRQ_ROUTING, where larger
gsi values make sense.

As the commit was meant as an early indicator to user space that
something is wrong, reverting just restores the previous behavior
where overly large values are ignored when encountered (without
any direct feedback).

BUG= chromium:770154 
TEST=Build and run

Change-Id: I486229ec34839d05a383daf3bc7dc91dcd430b52
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Jan H. Schnherr <jschoenh@amazon.de>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krm <rkrcmar@redhat.com>
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 95e2a3b3ef17)
Reviewed-on: https://chromium-review.googlesource.com/695929

[modify] https://crrev.com/e8b721e01f5a67489b6a8169c8e66a70f6b0dd07/virt/kvm/eventfd.c

Guenter, so 3a8b0677fc6 ("KVM: VMX: Do not BUG() on out-of-bounds guest IRQ") only would suffice for the CVE?

#20: Yes, that is my understanding.

Great. Thanks

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot