CVE-2021-47277

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kvm: avoid speculation-based attacks from out-of-range memslot accesses<br /> <br /> KVM&amp;#39;s mechanism for accessing guest memory translates a guest physical<br /> address (gpa) to a host virtual address using the right-shifted gpa<br /> (also known as gfn) and a struct kvm_memory_slot. The translation is<br /> performed in __gfn_to_hva_memslot using the following formula:<br /> <br /> hva = slot-&gt;userspace_addr + (gfn - slot-&gt;base_gfn) * PAGE_SIZE<br /> <br /> It is expected that gfn falls within the boundaries of the guest&amp;#39;s<br /> physical memory. However, a guest can access invalid physical addresses<br /> in such a way that the gfn is invalid.<br /> <br /> __gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first<br /> retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot<br /> does check that the gfn falls within the boundaries of the guest&amp;#39;s<br /> physical memory or not, a CPU can speculate the result of the check and<br /> continue execution speculatively using an illegal gfn. The speculation<br /> can result in calculating an out-of-bounds hva. If the resulting host<br /> virtual address is used to load another guest physical address, this<br /> is effectively a Spectre gadget consisting of two consecutive reads,<br /> the second of which is data dependent on the first.<br /> <br /> Right now it&amp;#39;s not clear if there are any cases in which this is<br /> exploitable. One interesting case was reported by the original author<br /> of this patch, and involves visiting guest page tables on x86. Right<br /> now these are not vulnerable because the hva read goes through get_user(),<br /> which contains an LFENCE speculation barrier. However, there are<br /> patches in progress for x86 uaccess.h to mask kernel addresses instead of<br /> using LFENCE; once these land, a guest could use speculation to read<br /> from the VMM&amp;#39;s ring 3 address space. Other architectures such as ARM<br /> already use the address masking method, and would be susceptible to<br /> this same kind of data-dependent access gadgets. Therefore, this patch<br /> proactively protects from these attacks by masking out-of-bounds gfns<br /> in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.<br /> <br /> Sean Christopherson noted that this patch does not cover<br /> kvm_read_guest_offset_cached. This however is limited to a few bytes<br /> past the end of the cache, and therefore it is unlikely to be useful in<br /> the context of building a chain of data dependent accesses.