CVE-2024-53196

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/12/2024
Last modified:
27/12/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Don&amp;#39;t retire aborted MMIO instruction<br /> <br /> Returning an abort to the guest for an unsupported MMIO access is a<br /> documented feature of the KVM UAPI. Nevertheless, it&amp;#39;s clear that this<br /> plumbing has seen limited testing, since userspace can trivially cause a<br /> WARN in the MMIO return:<br /> <br /> WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536<br /> Call trace:<br /> kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536<br /> kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133<br /> kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487<br /> __do_sys_ioctl fs/ioctl.c:51 [inline]<br /> __se_sys_ioctl fs/ioctl.c:893 [inline]<br /> __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893<br /> __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]<br /> invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49<br /> el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132<br /> do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151<br /> el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712<br /> el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br /> <br /> The splat is complaining that KVM is advancing PC while an exception is<br /> pending, i.e. that KVM is retiring the MMIO instruction despite a<br /> pending synchronous external abort. Womp womp.<br /> <br /> Fix the glaring UAPI bug by skipping over all the MMIO emulation in<br /> case there is a pending synchronous exception. Note that while userspace<br /> is capable of pending an asynchronous exception (SError, IRQ, or FIQ),<br /> it is still safe to retire the MMIO instruction in this case as (1) they<br /> are by definition asynchronous, and (2) KVM relies on hardware support<br /> for pending/delivering these exceptions instead of the software state<br /> machine for advancing PC.

Impact