CVE-2020-36311 Overview
An issue was discovered in the Linux kernel before version 5.9 affecting the KVM (Kernel-based Virtual Machine) implementation for AMD SEV (Secure Encrypted Virtualization). The vulnerability exists in arch/x86/kvm/svm/sev.c and allows local attackers to cause a denial of service through a soft lockup condition. This occurs when an attacker triggers the destruction of a large SEV VM, which requires unregistering many encrypted memory regions, leading to prolonged kernel execution without yielding.
Critical Impact
Local attackers with access to KVM virtualization can cause system-wide denial of service through soft lockup, potentially affecting all services running on the host system.
Affected Products
- Linux Kernel versions before 5.9
- Debian Linux 9.0
- Debian Linux 10.0
Discovery Timeline
- 2021-04-07 - CVE CVE-2020-36311 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-36311
Vulnerability Analysis
This vulnerability affects the AMD SEV (Secure Encrypted Virtualization) implementation within the Linux kernel's KVM hypervisor subsystem. When a large SEV-enabled virtual machine is destroyed, the kernel must unregister numerous encrypted memory regions that were established for the guest VM's secure memory space.
The root issue lies in the handling of these memory region deregistration operations. When processing a large number of encrypted regions sequentially, the kernel fails to properly yield execution, causing the CPU to remain in kernel mode for an extended period. This triggers the kernel's soft lockup detection mechanism, which interprets the prolonged execution as a system hang.
The impact is a denial of service condition where the system becomes unresponsive. On systems hosting multiple virtual machines or critical services, this can lead to widespread service disruption. The vulnerability requires local access to the system with privileges sufficient to create and destroy KVM virtual machines with SEV enabled.
Root Cause
The root cause is an algorithmic complexity issue in the SEV VM teardown path. The sev.c code processes encrypted memory region unregistration in a manner that holds kernel resources for too long without allowing the scheduler to preempt the operation. When destroying VMs with many encrypted regions, this non-preemptible execution exceeds the kernel's watchdog timeout threshold, triggering a soft lockup warning and potential system instability.
Attack Vector
The attack requires local access to a system running the vulnerable Linux kernel with KVM and AMD SEV support enabled. An attacker with sufficient privileges to manage KVM virtual machines can exploit this vulnerability by:
- Creating a large SEV-enabled virtual machine with numerous encrypted memory regions
- Deliberately destroying the VM to trigger the mass unregistration of encrypted regions
- The kernel enters a prolonged non-preemptible state during cleanup operations
- A soft lockup condition occurs, causing denial of service
The vulnerability is exploited through legitimate VM management operations rather than malformed input, making it a resource exhaustion type of denial of service attack.
Detection Methods for CVE-2020-36311
Indicators of Compromise
- Kernel log messages indicating soft lockup warnings with stack traces pointing to sev.c or KVM-related functions
- System becoming unresponsive during SEV VM destruction operations
- Watchdog timeout errors in system logs coinciding with VM termination events
- Elevated CPU usage in kernel mode during VM cleanup operations
Detection Strategies
- Monitor kernel logs for soft lockup warnings using tools like dmesg or centralized logging solutions
- Implement alerting on watchdog timeout events, particularly those associated with KVM processes
- Track KVM VM lifecycle events and correlate with system responsiveness metrics
- Deploy kernel instrumentation to monitor execution time in SEV-related code paths
Monitoring Recommendations
- Configure real-time alerting for kernel soft lockup messages via syslog monitoring
- Establish baseline metrics for VM destruction operations and alert on anomalous duration
- Monitor /var/log/kern.log and /var/log/messages for soft lockup indicators
- Implement host-level health checks that can detect system unresponsiveness
How to Mitigate CVE-2020-36311
Immediate Actions Required
- Upgrade the Linux kernel to version 5.9 or later where the vulnerability is addressed
- Apply vendor-specific security patches from Debian or other distribution maintainers
- Limit access to KVM VM management capabilities to trusted administrators only
- Consider disabling AMD SEV functionality if not required until patching is complete
Patch Information
The vulnerability was addressed in Linux kernel version 5.9. The fix is identified by commit 7be74942f184fdfba34ddd19a0d995deb34d4a03 in the upstream kernel repository. The patch modifies the SEV VM destruction handling to properly yield execution during the unregistration of encrypted memory regions, preventing the soft lockup condition.
For detailed patch information, refer to:
Debian users should refer to Debian Security Advisory DSA-4941 and the Debian LTS Announcement for distribution-specific patches.
Workarounds
- Restrict KVM management permissions to minimize the attack surface until patching can be completed
- Limit the maximum number of encrypted memory regions per VM through organizational policy
- Implement resource quotas on VM creation to prevent excessively large SEV VMs
- Monitor and rate-limit VM destruction operations in high-risk environments
- Consider temporarily disabling SEV support via kernel boot parameters (mem_encrypt=off or kvm_amd.sev=0) if the feature is not essential
# Disable AMD SEV support via kernel boot parameter
# Add to GRUB configuration in /etc/default/grub
GRUB_CMDLINE_LINUX="kvm_amd.sev=0"
# Update GRUB and reboot
sudo update-grub
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
