Skip to content

Commit dcfa856

Browse files
mattschlebuschdianpopa
mattschlebusch
authored and
dianpopa
committed
Add details to docs on CVE-2022-26373
Signed-off-by: Matthew Schlebusch <schlebus@amazon.com>
1 parent bbf28d3 commit dcfa856

File tree

1 file changed

+39
-0
lines changed

1 file changed

+39
-0
lines changed

docs/prod-host-setup.md

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -535,6 +535,42 @@ then KVM uses shadow pages.
535535
The vulnerability is fixed by [this commit][4]. The fix was integrated in
536536
5.10.119, 5.15.44 and 5.17.12 kernel releases.
537537

538+
#### [CVE-2022-26373](https://nvd.nist.gov/vuln/detail/CVE-2022-26373)
539+
540+
##### Description
541+
542+
Isolation boundaries between processes are vulnerable to a return stack
543+
buffer underflow. This may result in some processors allowing neighbouring
544+
guests to access data in other processes via local access.
545+
546+
This issue is not impacted by environments that make use of `RETPOLINE` as
547+
this results in [RSB stuffing implemented by KVM][5] which Firecracker uses
548+
exclusively.
549+
550+
##### Impact
551+
552+
A malicious attacker running on a guest can access information in other guests
553+
running on the same host.
554+
555+
##### Vulnerable systems
556+
557+
The vulnerability affects systems that do not have `RETPOLINE` enabled
558+
and use the following host kernel versions:
559+
560+
- 5.10.x prior to 5.10.135
561+
- 5.15.x prior to 5.15.57
562+
563+
See earlier in this document for checking `RETPOLINE` configuration.
564+
You can check the version of the kernel being used with:
565+
566+
```
567+
uname -r
568+
```
569+
570+
##### Mitigation
571+
572+
The vulnerability is fixed in [these releases][6] by the [commits merged upstream][7].
573+
538574
#### [ARM only] Physical counter directly passed through to the guest
539575

540576
On ARM, the physical counter (i.e `CNTPCT`) it is returning the
@@ -547,3 +583,6 @@ to trap and control this in the hypervisor.
547583
[2]: https://lists.cs.columbia.edu/pipermail/kvmarm/2017-January/023323.html
548584
[3]: https://elixir.bootlin.com/linux/v4.17/source/include/uapi/linux/prctl.h#L212
549585
[4]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=9f46c187e2e680ecd9de7983e4d081c3391acc76
586+
[5]: https://elixir.bootlin.com/linux/v5.10.131/source/arch/x86/kvm/vmx/vmenter.S#L78
587+
[6]: https://alas.aws.amazon.com/cve/html/CVE-2022-26373.html
588+
[7]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce114c866860

0 commit comments

Comments
 (0)