ghsa-pxxf-f2vm-qfhg
Vulnerability from github
Published
2024-09-27 15:30
Modified
2024-09-27 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory.

Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS.

============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted

include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]

stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-46830"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T13:15:15Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS\n\nGrab kvm-\u003esrcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly\nleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX\nreads guest memory.\n\nNote, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN\nvia sync_regs(), which already holds SRCU.  I.e. trying to precisely use\nkvm_vcpu_srcu_read_lock() around the problematic SMM code would cause\nproblems.  Acquiring SRCU isn\u0027t all that expensive, so for simplicity,\ngrab it unconditionally for KVM_SET_VCPU_EVENTS.\n\n =============================\n WARNING: suspicious RCU usage\n 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by repro/1071:\n  #0: ffff88811e424430 (\u0026vcpu-\u003emutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n\n stack backtrace:\n CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x7f/0x90\n  lockdep_rcu_suspicious+0x13f/0x1a0\n  kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]\n  kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n  nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]\n  load_vmcs12_host_state+0x432/0xb40 [kvm_intel]\n  vmx_leave_nested+0x30/0x40 [kvm_intel]\n  kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]\n  kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]\n  ? mark_held_locks+0x49/0x70\n  ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n  ? kvm_vcpu_ioctl+0x497/0x970 [kvm]\n  kvm_vcpu_ioctl+0x497/0x970 [kvm]\n  ? lock_acquire+0xba/0x2d0\n  ? find_held_lock+0x2b/0x80\n  ? do_user_addr_fault+0x40c/0x6f0\n  ? lock_release+0xb7/0x270\n  __x64_sys_ioctl+0x82/0xb0\n  do_syscall_64+0x6c/0x170\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7ff11eb1b539\n  \u003c/TASK\u003e",
  "id": "GHSA-pxxf-f2vm-qfhg",
  "modified": "2024-09-27T15:30:34Z",
  "published": "2024-09-27T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46830"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2ee88da1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.