CVE-2023-53663

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: nSVM: Check instead of asserting on nested TSC scaling support<br /> <br /> Check for nested TSC scaling support on nested SVM VMRUN instead of<br /> asserting that TSC scaling is exposed to L1 if L1&amp;#39;s MSR_AMD64_TSC_RATIO<br /> has diverged from KVM&amp;#39;s default. Userspace can trigger the WARN at will<br /> by writing the MSR and then updating guest CPUID to hide the feature<br /> (modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking<br /> KVM&amp;#39;s state_test selftest to do<br /> <br /> vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);<br /> vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);<br /> <br /> after restoring state in a new VM+vCPU yields an endless supply of:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699<br /> nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd]<br /> Call Trace:<br /> <br /> enter_svm_guest_mode+0x114/0x560 [kvm_amd]<br /> nested_svm_vmrun+0x260/0x330 [kvm_amd]<br /> vmrun_interception+0x29/0x30 [kvm_amd]<br /> svm_invoke_exit_handler+0x35/0x100 [kvm_amd]<br /> svm_handle_exit+0xe7/0x180 [kvm_amd]<br /> kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]<br /> kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]<br /> __se_sys_ioctl+0x7a/0xc0<br /> __x64_sys_ioctl+0x21/0x30<br /> do_syscall_64+0x41/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x45ca1b<br /> <br /> Note, the nested #VMEXIT path has the same flaw, but needs a different<br /> fix and will be handled separately.