CVE-2022-48763

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: x86: Forcibly leave nested virt when SMM state is toggled<br /> <br /> Forcibly leave nested virtualization operation if userspace toggles SMM<br /> state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace<br /> forces the vCPU out of SMM while it&amp;#39;s post-VMXON and then injects an SMI,<br /> vmx_enter_smm() will overwrite vmx-&gt;nested.smm.vmxon and end up with both<br /> vmxon=false and smm.vmxon=false, but all other nVMX state allocated.<br /> <br /> Don&amp;#39;t attempt to gracefully handle the transition as (a) most transitions<br /> are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn&amp;#39;t<br /> sufficient information to handle all transitions, e.g. SVM wants access<br /> to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede<br /> KVM_SET_NESTED_STATE during state restore as the latter disallows putting<br /> the vCPU into L2 if SMM is active, and disallows tagging the vCPU as<br /> being post-VMXON in SMM if SMM is not active.<br /> <br /> Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX<br /> due to failure to free vmcs01&amp;#39;s shadow VMCS, but the bug goes far beyond<br /> just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU<br /> in an architecturally impossible state.<br /> <br /> WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]<br /> WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656<br /> Modules linked in:<br /> CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]<br /> RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656<br /> Code: 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00<br /> Call Trace:<br /> <br /> kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123<br /> kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]<br /> kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460<br /> kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]<br /> kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676<br /> kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]<br /> kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250<br /> kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273<br /> __fput+0x286/0x9f0 fs/file_table.c:311<br /> task_work_run+0xdd/0x1a0 kernel/task_work.c:164<br /> exit_task_work include/linux/task_work.h:32 [inline]<br /> do_exit+0xb29/0x2a30 kernel/exit.c:806<br /> do_group_exit+0xd2/0x2f0 kernel/exit.c:935<br /> get_signal+0x4b0/0x28c0 kernel/signal.c:2862<br /> arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868<br /> handle_signal_work kernel/entry/common.c:148 [inline]<br /> exit_to_user_mode_loop kernel/entry/common.c:172 [inline]<br /> exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207<br /> __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]<br /> syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300<br /> do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br />