fkie_cve-2023-53319
Vulnerability from fkie_nvd
Published
2025-09-16 17:15
Modified
2025-09-17 14:18
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm Currently there is no synchronisation between finalize_pkvm() and kvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if kvm_arm_init() fails resulting in the following warning on all the CPUs and eventually a HYP panic: | kvm [1]: IPA Size Limit: 48 bits | kvm [1]: Failed to init hyp memory protection | kvm [1]: error initializing Hyp mode: -22 | | <snip> | | WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50 | Modules linked in: | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237 | Hardware name: FVP Base RevC (DT) | pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) | pc : _kvm_host_prot_finalize+0x30/0x50 | lr : __flush_smp_call_function_queue+0xd8/0x230 | | Call trace: | _kvm_host_prot_finalize+0x3c/0x50 | on_each_cpu_cond_mask+0x3c/0x6c | pkvm_drop_host_privileges+0x4c/0x78 | finalize_pkvm+0x3c/0x5c | do_one_initcall+0xcc/0x240 | do_initcall_level+0x8c/0xac | do_initcalls+0x54/0x94 | do_basic_setup+0x1c/0x28 | kernel_init_freeable+0x100/0x16c | kernel_init+0x20/0x1a0 | ret_from_fork+0x10/0x20 | Failed to finalize Hyp protection: -22 | dtb=fvp-base-revc.dtb | kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540! | kvm [95]: nVHE call trace: | kvm [95]: [<ffff800081052984>] __kvm_nvhe_hyp_panic+0xac/0xf8 | kvm [95]: [<ffff800081059644>] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac | kvm [95]: [<ffff80008105511c>] __kvm_nvhe_handle_trap+0x4c/0x160 | kvm [95]: [<ffff8000810540fc>] __kvm_nvhe___skip_pauth_save+0x4/0x4 | kvm [95]: ---[ end nVHE call trace ]--- | kvm [95]: Hyp Offset: 0xfffe8db00ffa0000 | Kernel panic - not syncing: HYP panic: | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800 | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000 | VCPU:0000000000000000 | CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G W 6.4.0 #237 | Hardware name: FVP Base RevC (DT) | Workqueue: rpciod rpc_async_schedule | Call trace: | dump_backtrace+0xec/0x108 | show_stack+0x18/0x2c | dump_stack_lvl+0x50/0x68 | dump_stack+0x18/0x24 | panic+0x138/0x33c | nvhe_hyp_panic_handler+0x100/0x184 | new_slab+0x23c/0x54c | ___slab_alloc+0x3e4/0x770 | kmem_cache_alloc_node+0x1f0/0x278 | __alloc_skb+0xdc/0x294 | tcp_stream_alloc_skb+0x2c/0xf0 | tcp_sendmsg_locked+0x3d0/0xda4 | tcp_sendmsg+0x38/0x5c | inet_sendmsg+0x44/0x60 | sock_sendmsg+0x1c/0x34 | xprt_sock_sendmsg+0xdc/0x274 | xs_tcp_send_request+0x1ac/0x28c | xprt_transmit+0xcc/0x300 | call_transmit+0x78/0x90 | __rpc_execute+0x114/0x3d8 | rpc_async_schedule+0x28/0x48 | process_one_work+0x1d8/0x314 | worker_thread+0x248/0x474 | kthread+0xfc/0x184 | ret_from_fork+0x10/0x20 | SMP: stopping secondary CPUs | Kernel Offset: 0x57c5cb460000 from 0xffff800080000000 | PHYS_OFFSET: 0x80000000 | CPU features: 0x00000000,1035b7a3,ccfe773f | Memory Limit: none | ---[ end Kernel panic - not syncing: HYP panic: | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800 | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000 | VCPU:0000000000000000 ]--- Fix it by checking for the successfull initialisation of kvm_arm_init() in finalize_pkvm() before proceeding any futher.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/91450dec0445f4d12f960ba68d8d05c3cb2ab5b8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fa729bc7c9c8c17a2481358c841ef8ca920485d3
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm\n\nCurrently there is no synchronisation between finalize_pkvm() and\nkvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if\nkvm_arm_init() fails resulting in the following warning on all the CPUs\nand eventually a HYP panic:\n\n  | kvm [1]: IPA Size Limit: 48 bits\n  | kvm [1]: Failed to init hyp memory protection\n  | kvm [1]: error initializing Hyp mode: -22\n  |\n  | \u003csnip\u003e\n  |\n  | WARNING: CPU: 0 PID: 0 at arch/arm64/kvm/pkvm.c:226 _kvm_host_prot_finalize+0x30/0x50\n  | Modules linked in:\n  | CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0 #237\n  | Hardware name: FVP Base RevC (DT)\n  | pstate: 634020c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n  | pc : _kvm_host_prot_finalize+0x30/0x50\n  | lr : __flush_smp_call_function_queue+0xd8/0x230\n  |\n  | Call trace:\n  |  _kvm_host_prot_finalize+0x3c/0x50\n  |  on_each_cpu_cond_mask+0x3c/0x6c\n  |  pkvm_drop_host_privileges+0x4c/0x78\n  |  finalize_pkvm+0x3c/0x5c\n  |  do_one_initcall+0xcc/0x240\n  |  do_initcall_level+0x8c/0xac\n  |  do_initcalls+0x54/0x94\n  |  do_basic_setup+0x1c/0x28\n  |  kernel_init_freeable+0x100/0x16c\n  |  kernel_init+0x20/0x1a0\n  |  ret_from_fork+0x10/0x20\n  | Failed to finalize Hyp protection: -22\n  |     dtb=fvp-base-revc.dtb\n  | kvm [95]: nVHE hyp BUG at: arch/arm64/kvm/hyp/nvhe/mem_protect.c:540!\n  | kvm [95]: nVHE call trace:\n  | kvm [95]:  [\u003cffff800081052984\u003e] __kvm_nvhe_hyp_panic+0xac/0xf8\n  | kvm [95]:  [\u003cffff800081059644\u003e] __kvm_nvhe_handle_host_mem_abort+0x1a0/0x2ac\n  | kvm [95]:  [\u003cffff80008105511c\u003e] __kvm_nvhe_handle_trap+0x4c/0x160\n  | kvm [95]:  [\u003cffff8000810540fc\u003e] __kvm_nvhe___skip_pauth_save+0x4/0x4\n  | kvm [95]: ---[ end nVHE call trace ]---\n  | kvm [95]: Hyp Offset: 0xfffe8db00ffa0000\n  | Kernel panic - not syncing: HYP panic:\n  | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n  | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n  | VCPU:0000000000000000\n  | CPU: 3 PID: 95 Comm: kworker/u16:2 Tainted: G        W          6.4.0 #237\n  | Hardware name: FVP Base RevC (DT)\n  | Workqueue: rpciod rpc_async_schedule\n  | Call trace:\n  |  dump_backtrace+0xec/0x108\n  |  show_stack+0x18/0x2c\n  |  dump_stack_lvl+0x50/0x68\n  |  dump_stack+0x18/0x24\n  |  panic+0x138/0x33c\n  |  nvhe_hyp_panic_handler+0x100/0x184\n  |  new_slab+0x23c/0x54c\n  |  ___slab_alloc+0x3e4/0x770\n  |  kmem_cache_alloc_node+0x1f0/0x278\n  |  __alloc_skb+0xdc/0x294\n  |  tcp_stream_alloc_skb+0x2c/0xf0\n  |  tcp_sendmsg_locked+0x3d0/0xda4\n  |  tcp_sendmsg+0x38/0x5c\n  |  inet_sendmsg+0x44/0x60\n  |  sock_sendmsg+0x1c/0x34\n  |  xprt_sock_sendmsg+0xdc/0x274\n  |  xs_tcp_send_request+0x1ac/0x28c\n  |  xprt_transmit+0xcc/0x300\n  |  call_transmit+0x78/0x90\n  |  __rpc_execute+0x114/0x3d8\n  |  rpc_async_schedule+0x28/0x48\n  |  process_one_work+0x1d8/0x314\n  |  worker_thread+0x248/0x474\n  |  kthread+0xfc/0x184\n  |  ret_from_fork+0x10/0x20\n  | SMP: stopping secondary CPUs\n  | Kernel Offset: 0x57c5cb460000 from 0xffff800080000000\n  | PHYS_OFFSET: 0x80000000\n  | CPU features: 0x00000000,1035b7a3,ccfe773f\n  | Memory Limit: none\n  | ---[ end Kernel panic - not syncing: HYP panic:\n  | PS:a34023c9 PC:0000f250710b973c ESR:00000000f2000800\n  | FAR:ffff000800cb00d0 HPFAR:000000000880cb00 PAR:0000000000000000\n  | VCPU:0000000000000000 ]---\n\nFix it by checking for the successfull initialisation of kvm_arm_init()\nin finalize_pkvm() before proceeding any futher."
    }
  ],
  "id": "CVE-2023-53319",
  "lastModified": "2025-09-17T14:18:55.093",
  "metrics": {},
  "published": "2025-09-16T17:15:37.947",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/91450dec0445f4d12f960ba68d8d05c3cb2ab5b8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fa729bc7c9c8c17a2481358c841ef8ca920485d3"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.