CVE-2023-53756

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: VMX: Fix crash due to uninitialized current_vmcs<br /> <br /> KVM enables &amp;#39;Enlightened VMCS&amp;#39; and &amp;#39;Enlightened MSR Bitmap&amp;#39; when running as<br /> a nested hypervisor on top of Hyper-V. When MSR bitmap is updated,<br /> evmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark<br /> that the msr bitmap was changed.<br /> <br /> vmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr<br /> -&gt; vmx_msr_bitmap_l01_changed which in the end calls this function. The<br /> function checks for current_vmcs if it is null but the check is<br /> insufficient because current_vmcs is not initialized. Because of this, the<br /> code might incorrectly write to the structure pointed by current_vmcs value<br /> left by another task. Preemption is not disabled, the current task can be<br /> preempted and moved to another CPU while current_vmcs is accessed multiple<br /> times from evmcs_touch_msr_bitmap() which leads to crash.<br /> <br /> The manipulation of MSR bitmaps by callers happens only for vmcs01 so the<br /> solution is to use vmx-&gt;vmcs01.vmcs instead of current_vmcs.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000338<br /> PGD 4e1775067 P4D 0<br /> Oops: 0002 [#1] PREEMPT SMP NOPTI<br /> ...<br /> RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel]<br /> ...<br /> Call Trace:<br /> vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel]<br /> vmx_vcpu_create+0xe6/0x540 [kvm_intel]<br /> kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm]<br /> kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm]<br /> kvm_vm_ioctl+0x53f/0x790 [kvm]<br /> __x64_sys_ioctl+0x8a/0xc0<br /> do_syscall_64+0x5c/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd