CVE-2024-50115

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory<br /> <br /> Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits<br /> 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn&amp;#39;t<br /> enforce 32-byte alignment of nCR3.<br /> <br /> In the absolute worst case scenario, failure to ignore bits 4:0 can result<br /> in an out-of-bounds read, e.g. if the target page is at the end of a<br /> memslot, and the VMM isn&amp;#39;t using guard pages.<br /> <br /> Per the APM:<br /> <br /> The CR3 register points to the base address of the page-directory-pointer<br /> table. The page-directory-pointer table is aligned on a 32-byte boundary,<br /> with the low 5 address bits 4:0 assumed to be 0.<br /> <br /> And the SDM&amp;#39;s much more explicit:<br /> <br /> 4:0 Ignored<br /> <br /> Note, KVM gets this right when loading PDPTRs, it&amp;#39;s only the nSVM flow<br /> that is broken.