CVE-2024-53196
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/12/2024
Last modified:
27/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: arm64: Don&#39;t retire aborted MMIO instruction<br />
<br />
Returning an abort to the guest for an unsupported MMIO access is a<br />
documented feature of the KVM UAPI. Nevertheless, it&#39;s clear that this<br />
plumbing has seen limited testing, since userspace can trivially cause a<br />
WARN in the MMIO return:<br />
<br />
WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536<br />
Call trace:<br />
kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536<br />
kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133<br />
kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487<br />
__do_sys_ioctl fs/ioctl.c:51 [inline]<br />
__se_sys_ioctl fs/ioctl.c:893 [inline]<br />
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893<br />
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br />
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br />
el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132<br />
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br />
el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712<br />
el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730<br />
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br />
<br />
The splat is complaining that KVM is advancing PC while an exception is<br />
pending, i.e. that KVM is retiring the MMIO instruction despite a<br />
pending synchronous external abort. Womp womp.<br />
<br />
Fix the glaring UAPI bug by skipping over all the MMIO emulation in<br />
case there is a pending synchronous exception. Note that while userspace<br />
is capable of pending an asynchronous exception (SError, IRQ, or FIQ),<br />
it is still safe to retire the MMIO instruction in this case as (1) they<br />
are by definition asynchronous, and (2) KVM relies on hardware support<br />
for pending/delivering these exceptions instead of the software state<br />
machine for advancing PC.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1e46460efe1ef9a31748de7675ff8fe0d8601af2
- https://git.kernel.org/stable/c/6af853cf5f897d55f42e9166f4db50e84e404fb3
- https://git.kernel.org/stable/c/d0571c3add987bcb69c2ffd7a70c998bf8ce60fb
- https://git.kernel.org/stable/c/e735a5da64420a86be370b216c269b5dd8e830e2
- https://git.kernel.org/stable/c/ea6b5d98fea4ee8cb443ea98fda520909e90d30e