fkie_cve-2023-53756
Vulnerability from fkie_nvd
Published
2025-12-08 02:15
Modified
2025-12-08 18:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Fix crash due to uninitialized current_vmcs KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as a nested hypervisor on top of Hyper-V. When MSR bitmap is updated, evmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark that the msr bitmap was changed. vmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr -> vmx_msr_bitmap_l01_changed which in the end calls this function. The function checks for current_vmcs if it is null but the check is insufficient because current_vmcs is not initialized. Because of this, the code might incorrectly write to the structure pointed by current_vmcs value left by another task. Preemption is not disabled, the current task can be preempted and moved to another CPU while current_vmcs is accessed multiple times from evmcs_touch_msr_bitmap() which leads to crash. The manipulation of MSR bitmaps by callers happens only for vmcs01 so the solution is to use vmx->vmcs01.vmcs instead of current_vmcs. BUG: kernel NULL pointer dereference, address: 0000000000000338 PGD 4e1775067 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI ... RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel] ... Call Trace: vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel] vmx_vcpu_create+0xe6/0x540 [kvm_intel] kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm] kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm] kvm_vm_ioctl+0x53f/0x790 [kvm] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Fix crash due to uninitialized current_vmcs\n\nKVM enables \u0027Enlightened VMCS\u0027 and \u0027Enlightened MSR Bitmap\u0027 when running as\na nested hypervisor on top of Hyper-V. When MSR bitmap is updated,\nevmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark\nthat the msr bitmap was changed.\n\nvmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr\n-\u003e vmx_msr_bitmap_l01_changed which in the end calls this function. The\nfunction checks for current_vmcs if it is null but the check is\ninsufficient because current_vmcs is not initialized. Because of this, the\ncode might incorrectly write to the structure pointed by current_vmcs value\nleft by another task. Preemption is not disabled, the current task can be\npreempted and moved to another CPU while current_vmcs is accessed multiple\ntimes from evmcs_touch_msr_bitmap() which leads to crash.\n\nThe manipulation of MSR bitmaps by callers happens only for vmcs01 so the\nsolution is to use vmx-\u003evmcs01.vmcs instead of current_vmcs.\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000338\n  PGD 4e1775067 P4D 0\n  Oops: 0002 [#1] PREEMPT SMP NOPTI\n  ...\n  RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel]\n  ...\n  Call Trace:\n   vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel]\n   vmx_vcpu_create+0xe6/0x540 [kvm_intel]\n   kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm]\n   kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm]\n   kvm_vm_ioctl+0x53f/0x790 [kvm]\n   __x64_sys_ioctl+0x8a/0xc0\n   do_syscall_64+0x5c/0x90\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd"
    }
  ],
  "id": "CVE-2023-53756",
  "lastModified": "2025-12-08T18:26:19.900",
  "metrics": {},
  "published": "2025-12-08T02:15:51.243",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.