Your submission was sent successfully! Close

CVE-2019-3016

Published: 30 January 2020

In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.

From the Ubuntu security team

It was discovered that the KVM implementation in the Linux kernel, when paravirtual TLB flushes are enabled in guests, the hypervisor in some situations could miss deferred TLB flushes or otherwise mishandle them. An attacker in a guest VM could use this to expose sensitive information (read memory from another guest VM).

Priority

Medium

CVSS 3 base score: 4.7

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.13.0-16.19)
disco Ignored
(reached end-of-life)
eoan
Released (5.3.0-42.34)
focal Not vulnerable
(5.4.0-18.22)
precise Not vulnerable
(3.0.0-12.20)
trusty Not vulnerable
(3.11.0-12.19)
upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.2.0-16.19)
linux-aws
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.15.0-1001.1)
disco Ignored
(reached end-of-life)
eoan
Released (5.3.0-1013.14)
focal Not vulnerable
(5.4.0-1005.5)
precise Does not exist

trusty Not vulnerable
(4.4.0-1002.2)
upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.4.0-1001.10)
linux-aws-5.0
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1027.30)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-aws-hwe
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.15.0-1030.31~16.04.1)
linux-azure
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1035.37)
disco Ignored
(reached end-of-life)
eoan
Released (5.3.0-1016.17)
focal Not vulnerable
(5.4.0-1006.6)
precise Does not exist

trusty Ignored
(was needed ESM criteria)
upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.11.0-1009.9)
linux-azure-5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-1016.17~18.04.1)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-azure-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Ignored
(was needs-triage now end-of-life)
linux-gcp
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1033.34)
disco Ignored
(reached end-of-life)
eoan
Released (5.3.0-1014.15)
focal Not vulnerable
(5.4.0-1005.5)
precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.10.0-1004.4)
linux-gcp-5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-1014.15~18.04.1)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-gcp-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-gke-4.15
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.15.0-1030.32)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-gke-5.0
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1032.33)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-gke-5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-1014.15~18.04.1)
eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-hwe
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-42.34~18.04.1)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.8.0-36.36~16.04.1)
linux-hwe-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Ignored
(was needs-triage now end-of-life)
linux-kvm
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.15.0-1002.2)
disco Ignored
(reached end-of-life)
eoan
Released (5.3.0-1012.13)
focal Not vulnerable
(5.4.0-1004.4)
precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.4.0-1004.9)
linux-lts-trusty
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

precise Not vulnerable
(3.13.0-24.46~precise1)
trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-lts-xenial
Launchpad, Ubuntu, Debian
bionic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Not vulnerable
(4.4.0-13.29~14.04.1)
upstream
Released (5.6~rc1)
xenial Does not exist

linux-oem
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.15.0-1002.3)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(4.15.0-1035.40)
focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Ignored
(was needs-triage now end-of-life)
linux-oem-5.6
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal Not vulnerable
(5.6.0-1007.7)
precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-oem-osp1
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1043.48)
disco Ignored
(reached end-of-life)
eoan
Released (5.0.0-1043.48)
focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-oracle
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.15.0-1007.9)
disco Ignored
(reached end-of-life)
eoan
Released (5.3.0-1011.12)
focal Not vulnerable
(5.4.0-1005.5)
precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.15.0-1007.9~16.04.1)
linux-oracle-5.0
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1013.18)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-oracle-5.3
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(5.3.0-1011.12~18.04.1)
eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.13.0-1005.5)
disco Ignored
(reached end-of-life)
eoan
Released (5.3.0-1019.21)
focal Ignored
(was needed now end-of-life)
precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.2.0-1013.19)
linux-raspi2-5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-1019.21~18.04.1)
eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Does not exist

linux-snapdragon
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.4.0-1077.82)
disco Ignored
(reached end-of-life)
eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.6~rc1)
xenial Not vulnerable
(4.4.0-1012.12)

Notes

AuthorNote
tyhicks
This issue does not affect default installations of Ubuntu as the
paravirtual TLB flush feature in KVM is not enabled by default. The QEMU CPU
feature "kvm-pv-tlb-flush" is used to enable paravirtual TLB flush.
cascardo
It is thought that issue does not affect Intel processors
*not* supporting Process-Context Identifiers (PCIDs). You can check
support for PCIDs on systems with Intel processors by running "grep pcid
/proc/cpuinfo" and verifying that "pcid" shows as one of the flags.
it was mentioned that it was only easily reproducible on AMD
CPUs.

References

Bugs