CVE-2026-63806
Fecha de publicación:
19/07/2026
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned()<br />
<br />
Drop a BUG_ON() that has been reachable since it was first added, way back<br />
in 2009, and instead use get_unaligned() to perform potentially-unaligned<br />
accesses.<br />
<br />
For a given store, KVM x86&#39;s emulator tracks the entire value in the<br />
destination operand, x86_emulate_ctxt.dst. If the destination is memory,<br />
and the target splits multiple pages and/or is emulated MMIO, then KVM<br />
handles each fragment independently. E.g. on a page split starting at page<br />
offset 0xffc, KVM writes 4 bytes to the first page, then the remaining<br />
bytes to the second page, using ctxt->dst as the source for both (with<br />
appropriate offsets).<br />
<br />
If the destination splits a page *and* hits emulated MMIO on the second<br />
page, then KVM will complete the write to the first page, then emulate the<br />
MMIO access to the second page. If there is a datamatch-enabled ioeventfd<br />
at offset 0 of the second page, then KVM will process the remainder of the<br />
store as a potential ioeventfd signal.<br />
<br />
Putting it all together, if the guest emits a store that splits a page<br />
starting at page offset N, and the second page has a datamatch-enabled<br />
ioeventfd at offset 0, then KVM will check for datamatch using<br />
&dst.valptr[N] as the source. Due to dst (and thus dst.valptr) being<br />
32-byte aligned, if N is not aligned to @len, the BUG_ON() fires.<br />
<br />
E.g. with a 16-byte store at page offset 0xffc, to an ioeventfd of len 8,<br />
all initial checks in ioeventfd_in_range() will succeed, and the BUG_ON()<br />
fires due to @val being 4-byte aligned, but not 8-byte aligned.<br />
<br />
------------[ cut here ]------------<br />
kernel BUG at arch/x86/kvm/../../../virt/kvm/eventfd.c:783!<br />
Oops: invalid opcode: 0000 [#1] SMP<br />
CPU: 0 UID: 1000 PID: 615 Comm: repro Not tainted 7.1.0-rc2-ff238429d1ea #365 PREEMPT<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br />
RIP: 0010:ioeventfd_write+0x6c/0x70 [kvm]<br />
Call Trace:<br />
<br />
__kvm_io_bus_write+0x85/0xb0 [kvm]<br />
kvm_io_bus_write+0x53/0x80 [kvm]<br />
vcpu_mmio_write+0x66/0xf0 [kvm]<br />
emulator_read_write_onepage+0x12a/0x540 [kvm]<br />
emulator_read_write+0x109/0x2b0 [kvm]<br />
x86_emulate_insn+0x4f8/0xfb0 [kvm]<br />
x86_emulate_instruction+0x181/0x790 [kvm]<br />
kvm_mmu_page_fault+0x313/0x630 [kvm]<br />
vmx_handle_exit+0x18a/0x590 [kvm_intel]<br />
kvm_arch_vcpu_ioctl_run+0xc81/0x1c90 [kvm]<br />
kvm_vcpu_ioctl+0x2d5/0x970 [kvm]<br />
__x64_sys_ioctl+0x8a/0xd0<br />
do_syscall_64+0xb7/0x890<br />
entry_SYSCALL_64_after_hwframe+0x4b/0x53<br />
RIP: 0033:0x7f19c931a9bf<br />
<br />
Modules linked in: kvm_intel kvm irqbypass<br />
---[ end trace 0000000000000000 ]---<br />
<br />
In a perfect world, the fix would be to simply delete the BUG_ON(), as KVM<br />
x86 doesn&#39;t perform alignment checks on "normal" memory accesses at CPL0.<br />
Sadly, C99 ruins all the fun; while the x86 architecture plays nice,<br />
dereferencing an unaligned pointer directly is undefined behavior in C,<br />
e.g. triggers splats when running with CONFIG_UBSAN_ALIGNMENT=y.
Gravedad: Pendiente de análisis
Última modificación:
19/07/2026