CVE-2019-3016

Published: 30 January 2020

In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.

From the Ubuntu Security Team

It was discovered that the KVM implementation in the Linux kernel, when paravirtual TLB flushes are enabled in guests, the hypervisor in some situations could miss deferred TLB flushes or otherwise mishandle them. An attacker in a guest VM could use this to expose sensitive information (read memory from another guest VM).

Notes

This issue does not affect default installations of Ubuntu as the
paravirtual TLB flush feature in KVM is not enabled by default. The QEMU CPU
feature "kvm-pv-tlb-flush" is used to enable paravirtual TLB flush.

It is thought that issue does not affect Intel processors
*not* supporting Process-Context Identifiers (PCIDs). You can check
support for PCIDs on systems with Intel processors by running "grep pcid
/proc/cpuinfo" and verifying that "pcid" shows as one of the flags.
it was mentioned that it was only easily reproducible on AMD
CPUs.

Status

Severity score breakdown

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3016
• https://ubuntu.com/security/notices/USN-4300-1
• https://ubuntu.com/security/notices/USN-4301-1
• https://usn.ubuntu.com/lsn/0065-1/
• NVD
• Launchpad
• Debian