CVE-2024-53135
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/12/2024
Last modified:
14/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN<br />
<br />
Hide KVM&#39;s pt_mode module param behind CONFIG_BROKEN, i.e. disable support<br />
for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are<br />
myriad bugs in the implementation, some of which are fatal to the guest,<br />
and others which put the stability and health of the host at risk.<br />
<br />
For guest fatalities, the most glaring issue is that KVM fails to ensure<br />
tracing is disabled, and *stays* disabled prior to VM-Enter, which is<br />
necessary as hardware disallows loading (the guest&#39;s) RTIT_CTL if tracing<br />
is enabled (enforced via a VMX consistency check). Per the SDM:<br />
<br />
If the logical processor is operating with Intel PT enabled (if<br />
IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load<br />
IA32_RTIT_CTL" VM-entry control must be 0.<br />
<br />
On the host side, KVM doesn&#39;t validate the guest CPUID configuration<br />
provided by userspace, and even worse, uses the guest configuration to<br />
decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring<br />
guest CPUID to enumerate more address ranges than are supported in hardware<br />
will result in KVM trying to passthrough, save, and load non-existent MSRs,<br />
which generates a variety of WARNs, ToPA ERRORs in the host, a potential<br />
deadlock, etc.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.0 (including) | 6.1.119 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.63 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.11.10 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/aa0d42cacf093a6fcca872edc954f6f812926a17
- https://git.kernel.org/stable/c/b8a1d572478b6f239061ee9578b2451bf2f021c2
- https://git.kernel.org/stable/c/b91bb0ce5cd7005b376eac690ec664c1b56372ec
- https://git.kernel.org/stable/c/c3742319d021f5aa3a0a8c828485fee14753f6de
- https://git.kernel.org/stable/c/d28b059ee4779b5102c5da6e929762520510e406
- https://git.kernel.org/stable/c/d4b42f926adcce4e5ec193c714afd9d37bba8e5b
- https://git.kernel.org/stable/c/e6716f4230a8784957273ddd27326264b27b9313