Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKENHide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable supportfor virtualizing Intel PT via guest/host mode unless BROKEN=y. There aremyriad bugs in the implementation, some of which are fatal to the guest,and others which put the stability and health of the host at risk.For guest fatalities, the most glaring issue is that KVM fails to ensuretracing is disabled, and *stays* disabled prior to VM-Enter, which isnecessary as hardware disallows loading (the guest's) RTIT_CTL if tracingis enabled (enforced via a VMX consistency check). Per the SDM: If the logical processor is operating with Intel PT enabled (if IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load IA32_RTIT_CTL" VM-entry control must be 0.On the host side, KVM doesn't validate the guest CPUID configurationprovided by userspace, and even worse, uses the guest configuration todecide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuringguest CPUID to enumerate more address ranges than are supported in hardwarewill result in KVM trying to passthrough, save, and load non-existent MSRs,which generates a variety of WARNs, ToPA ERRORs in the host, a potentialdeadlock, etc.
No PoCs from references.
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/w4zu/Debian_security