CVE-2021-47092
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/03/2024
Last modified:
14/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: VMX: Always clear vmx->fail on emulation_required<br />
<br />
Revert a relatively recent change that set vmx->fail if the vCPU is in L2<br />
and emulation_required is true, as that behavior is completely bogus.<br />
Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong:<br />
<br />
(a) it&#39;s impossible to have both a VM-Fail and VM-Exit<br />
(b) vmcs.EXIT_REASON is not modified on VM-Fail<br />
(c) emulation_required refers to guest state and guest state checks are<br />
always VM-Exits, not VM-Fails.<br />
<br />
For KVM specifically, emulation_required is handled before nested exits<br />
in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect,<br />
i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored.<br />
Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit()<br />
firing when tearing down the VM as KVM never expects vmx->fail to be set<br />
when L2 is active, KVM always reflects those errors into L1.<br />
<br />
------------[ cut here ]------------<br />
WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548<br />
nested_vmx_vmexit+0x16bd/0x17e0<br />
arch/x86/kvm/vmx/nested.c:4547<br />
Modules linked in:<br />
CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br />
RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547<br />
Code: 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80<br />
Call Trace:<br />
vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline]<br />
nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330<br />
vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799<br />
kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989<br />
kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441<br />
kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline]<br />
kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545<br />
kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline]<br />
kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220<br />
kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489<br />
__fput+0x3fc/0x870 fs/file_table.c:280<br />
task_work_run+0x146/0x1c0 kernel/task_work.c:164<br />
exit_task_work include/linux/task_work.h:32 [inline]<br />
do_exit+0x705/0x24f0 kernel/exit.c:832<br />
do_group_exit+0x168/0x2d0 kernel/exit.c:929<br />
get_signal+0x1740/0x2120 kernel/signal.c:2852<br />
arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868<br />
handle_signal_work kernel/entry/common.c:148 [inline]<br />
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]<br />
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207<br />
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]<br />
syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300<br />
do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15 (including) | 5.15.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page