ghsa-2f9c-gcww-48v7
Vulnerability from github
Published
2024-06-20 12:31
Modified
2024-06-20 12:31
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Forcibly leave nested virt when SMM state is toggled

Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated.

Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede KVM_SET_NESTED_STATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active.

Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state.

WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2022-48763"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T12:15:14Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Forcibly leave nested virt when SMM state is toggled\n\nForcibly leave nested virtualization operation if userspace toggles SMM\nstate via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS.  If userspace\nforces the vCPU out of SMM while it\u0027s post-VMXON and then injects an SMI,\nvmx_enter_smm() will overwrite vmx-\u003enested.smm.vmxon and end up with both\nvmxon=false and smm.vmxon=false, but all other nVMX state allocated.\n\nDon\u0027t attempt to gracefully handle the transition as (a) most transitions\nare nonsencial, e.g. forcing SMM while L2 is running, (b) there isn\u0027t\nsufficient information to handle all transitions, e.g. SVM wants access\nto the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede\nKVM_SET_NESTED_STATE during state restore as the latter disallows putting\nthe vCPU into L2 if SMM is active, and disallows tagging the vCPU as\nbeing post-VMXON in SMM if SMM is not active.\n\nAbuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX\ndue to failure to free vmcs01\u0027s shadow VMCS, but the bug goes far beyond\njust a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU\nin an architecturally impossible state.\n\n  WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n  WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n  Modules linked in:\n  CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n  RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]\n  RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656\n  Code: \u003c0f\u003e 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00\n  Call Trace:\n   \u003cTASK\u003e\n   kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123\n   kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]\n   kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460\n   kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]\n   kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676\n   kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]\n   kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250\n   kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273\n   __fput+0x286/0x9f0 fs/file_table.c:311\n   task_work_run+0xdd/0x1a0 kernel/task_work.c:164\n   exit_task_work include/linux/task_work.h:32 [inline]\n   do_exit+0xb29/0x2a30 kernel/exit.c:806\n   do_group_exit+0xd2/0x2f0 kernel/exit.c:935\n   get_signal+0x4b0/0x28c0 kernel/signal.c:2862\n   arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868\n   handle_signal_work kernel/entry/common.c:148 [inline]\n   exit_to_user_mode_loop kernel/entry/common.c:172 [inline]\n   exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207\n   __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]\n   syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300\n   do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n   \u003c/TASK\u003e",
  "id": "GHSA-2f9c-gcww-48v7",
  "modified": "2024-06-20T12:31:22Z",
  "published": "2024-06-20T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48763"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/080dbe7e9b86a0392d8dffc00d9971792afc121f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b4c0d89c92e957ecccce12e66b63875d0cc7af7e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e302786233e6bc512986d007c96458ccf5ca21c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7e570780efc5cec9b2ed1e0472a7da14e864fdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.