Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accessesAcquire a lock on kvm->srcu when userspace is getting MP state to handle arather extreme edge case where "accepting" APIC events, i.e. processingpending INIT or SIPI, can trigger accesses to guest memory. If the vCPUis in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MPstate will trigger a nested VM-Exit by way of ->check_nested_events(), andemuating the nested VM-Exit can access guest memory.The splat was originally hit by syzkaller on a Google-internal kernel, andreproduced on an upstream kernel by hacking the triple_fault_event_testselftest to stuff a pending INIT, store an MSR on VM-Exit (to generate amemory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace:
No PoCs from references.
- https://github.com/w4zu/Debian_security