From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBD1560261 for ; Mon, 4 Mar 2024 18:14:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709576053; cv=none; b=KMfY5dUqqu3ETYxQh9OmVtoHiygEZPP4IC9K4z583dAyUjjZyu18sNY6azuSt4RiAScaTBVglL2d/CNB8qzjFqDh2ny3/qCK7Jura2ZEX3aCJiyCBAarHnBarfwfGhOeZAzXxwtzXRJMYJSiGvsLorLVVPuLNmeK/OA/kCZ9CYk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709576053; c=relaxed/simple; bh=LFq/OYsSpqGOWFxnZBHELJ/i2QsjgvWdlMrqzqMlaPM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Wsb/qlKsLw6qMFPNhK0RmHdcuclnaOzu4t8GM+ZddfBJUN/4W9PFSefANlX9/9Yz0d0FXTj09OOrPIwJqiYIid8EqnCW4tIfpOFXy2ROnj8hItv1czgKAQc5kGWZ0chDxi38JZY2Ghew5h0vAmPfSoprHriQ8HuNPtATd9Ued70= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=sAFvNxVv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="sAFvNxVv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5C84CC433C7; Mon, 4 Mar 2024 18:14:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1709576053; bh=LFq/OYsSpqGOWFxnZBHELJ/i2QsjgvWdlMrqzqMlaPM=; h=From:To:Cc:Subject:Date:Reply-to:From; b=sAFvNxVvNxTqEzn6bywXul8yfjBm/wzIDEBwYZgDoeD7H1P3cY7yfHR8AL3VNKZ+o hvj2iFsHBnPmPb/3PdsdThhrSEUR7Tiu6KMvutsJekTL40+gkiqxEgQzgg7tOo5c/F CIroCj246BhG0w2nd0PSokN5iYmrNWuVg1q1jamU= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2021-47092: KVM: VMX: Always clear vmx->fail on emulation_required Date: Mon, 4 Mar 2024 19:11:19 +0100 Message-ID: <2024030414-CVE-2021-47092-36e2@gregkh> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=4575; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=LFq/OYsSpqGOWFxnZBHELJ/i2QsjgvWdlMrqzqMlaPM=; b=owGbwMvMwCRo6H6F97bub03G02pJDKnP+A5tjfPOjAtjvntzs/VfG/bTZYwPvW8ccyl4eutzj 1y1rcO5jlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiIUifDgt0shWyTXHP/35Jc 8LMxI1Bp4+u1IQzzI7b4Rave+h9pu/shx8kEj3qlr+4rAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Always clear vmx->fail on emulation_required Revert a relatively recent change that set vmx->fail if the vCPU is in L2 and emulation_required is true, as that behavior is completely bogus. Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong: (a) it's impossible to have both a VM-Fail and VM-Exit (b) vmcs.EXIT_REASON is not modified on VM-Fail (c) emulation_required refers to guest state and guest state checks are always VM-Exits, not VM-Fails. For KVM specifically, emulation_required is handled before nested exits in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect, i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored. Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit() firing when tearing down the VM as KVM never expects vmx->fail to be set when L2 is active, KVM always reflects those errors into L1. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548 nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Modules linked in: CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547 Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80 Call Trace: vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline] nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330 vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799 kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989 kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline] kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline] kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220 kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489 __fput+0x3fc/0x870 fs/file_table.c:280 task_work_run+0x146/0x1c0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x705/0x24f0 kernel/exit.c:832 do_group_exit+0x168/0x2d0 kernel/exit.c:929 get_signal+0x1740/0x2120 kernel/signal.c:2852 arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300 do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae The Linux kernel CVE team has assigned CVE-2021-47092 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15 with commit c8607e4a086f and fixed in 5.15.12 with commit e4e4e7cb2298 Issue introduced in 5.15 with commit c8607e4a086f and fixed in 5.16 with commit a80dfc025924 Please see https://www.kernel.org or a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47092 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/kvm/vmx/vmx.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e4e4e7cb229821cd215031abc47efdab5486a67c https://git.kernel.org/stable/c/a80dfc025924024d2c61a4c1b8ef62b2fce76a04