ghsa-5h86-42q5-w9hr
Vulnerability from github
Published
2025-12-08 03:31
Modified
2025-12-08 03:31
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: VMX: Fix crash due to uninitialized current_vmcs

KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as a nested hypervisor on top of Hyper-V. When MSR bitmap is updated, evmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark that the msr bitmap was changed.

vmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr -> vmx_msr_bitmap_l01_changed which in the end calls this function. The function checks for current_vmcs if it is null but the check is insufficient because current_vmcs is not initialized. Because of this, the code might incorrectly write to the structure pointed by current_vmcs value left by another task. Preemption is not disabled, the current task can be preempted and moved to another CPU while current_vmcs is accessed multiple times from evmcs_touch_msr_bitmap() which leads to crash.

The manipulation of MSR bitmaps by callers happens only for vmcs01 so the solution is to use vmx->vmcs01.vmcs instead of current_vmcs.

BUG: kernel NULL pointer dereference, address: 0000000000000338 PGD 4e1775067 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI ... RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel] ... Call Trace: vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel] vmx_vcpu_create+0xe6/0x540 [kvm_intel] kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm] kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm] kvm_vm_ioctl+0x53f/0x790 [kvm] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53756"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T02:15:51Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Fix crash due to uninitialized current_vmcs\n\nKVM enables \u0027Enlightened VMCS\u0027 and \u0027Enlightened MSR Bitmap\u0027 when running as\na nested hypervisor on top of Hyper-V. When MSR bitmap is updated,\nevmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark\nthat the msr bitmap was changed.\n\nvmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr\n-\u003e vmx_msr_bitmap_l01_changed which in the end calls this function. The\nfunction checks for current_vmcs if it is null but the check is\ninsufficient because current_vmcs is not initialized. Because of this, the\ncode might incorrectly write to the structure pointed by current_vmcs value\nleft by another task. Preemption is not disabled, the current task can be\npreempted and moved to another CPU while current_vmcs is accessed multiple\ntimes from evmcs_touch_msr_bitmap() which leads to crash.\n\nThe manipulation of MSR bitmaps by callers happens only for vmcs01 so the\nsolution is to use vmx-\u003evmcs01.vmcs instead of current_vmcs.\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000338\n  PGD 4e1775067 P4D 0\n  Oops: 0002 [#1] PREEMPT SMP NOPTI\n  ...\n  RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel]\n  ...\n  Call Trace:\n   vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel]\n   vmx_vcpu_create+0xe6/0x540 [kvm_intel]\n   kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm]\n   kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm]\n   kvm_vm_ioctl+0x53f/0x790 [kvm]\n   __x64_sys_ioctl+0x8a/0xc0\n   do_syscall_64+0x5c/0x90\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd",
  "id": "GHSA-5h86-42q5-w9hr",
  "modified": "2025-12-08T03:31:03Z",
  "published": "2025-12-08T03:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53756"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.