| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025011145-CVE-2024-55881-ad68@gregkh> Date: Sat, 11 Jan 2025 13:35:55 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-55881: KVM: x86: Play nice with protected guests in complete_hypercall_exit() Description =========== In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Play nice with protected guests in complete_hypercall_exit() Use is_64_bit_hypercall() instead of is_64_bit_mode() to detect a 64-bit hypercall when completing said hypercall. For guests with protected state, e.g. SEV-ES and SEV-SNP, KVM must assume the hypercall was made in 64-bit mode as the vCPU state needed to detect 64-bit mode is unavailable. Hacking the sev_smoke_test selftest to generate a KVM_HC_MAP_GPA_RANGE hypercall via VMGEXIT trips the WARN: ------------[ cut here ]------------ WARNING: CPU: 273 PID: 326626 at arch/x86/kvm/x86.h:180 complete_hypercall_exit+0x44/0xe0 [kvm] Modules linked in: kvm_amd kvm ... [last unloaded: kvm] CPU: 273 UID: 0 PID: 326626 Comm: sev_smoke_test Not tainted 6.12.0-smp--392e932fa0f3-feat #470 Hardware name: Google Astoria/astoria, BIOS 0.20240617.0-0 06/17/2024 RIP: 0010:complete_hypercall_exit+0x44/0xe0 [kvm] Call Trace: <TASK> kvm_arch_vcpu_ioctl_run+0x2400/0x2720 [kvm] kvm_vcpu_ioctl+0x54f/0x630 [kvm] __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- The Linux kernel CVE team has assigned CVE-2024-55881 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15.5 with commit 5969e2435cbd7f0ce8c28d717bfc39987ee8d8f1 and fixed in 5.15.176 with commit 0840d360a8909c722fb62459f42836afe32ededb Issue introduced in 5.16 with commit b5aead0064f33ae5e693a364e3204fe1c0ac9af2 and fixed in 6.1.122 with commit 7ed4db315094963de0678a8adfd43c46471b9349 Issue introduced in 5.16 with commit b5aead0064f33ae5e693a364e3204fe1c0ac9af2 and fixed in 6.6.68 with commit 3d2634ec0d1dbe8f4b511cf5261f327c6a76f4b6 Issue introduced in 5.16 with commit b5aead0064f33ae5e693a364e3204fe1c0ac9af2 and fixed in 6.12.7 with commit 22b5c2acd65dbe949032f619d4758a35a82fffc3 Issue introduced in 5.16 with commit b5aead0064f33ae5e693a364e3204fe1c0ac9af2 and fixed in 6.13-rc4 with commit 9b42d1e8e4fe9dc631162c04caa69b0d1860b0f0 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-55881 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/kvm/x86.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/0840d360a8909c722fb62459f42836afe32ededb https://git.kernel.org/stable/c/7ed4db315094963de0678a8adfd43c46471b9349 https://git.kernel.org/stable/c/3d2634ec0d1dbe8f4b511cf5261f327c6a76f4b6 https://git.kernel.org/stable/c/22b5c2acd65dbe949032f619d4758a35a82fffc3 https://git.kernel.org/stable/c/9b42d1e8e4fe9dc631162c04caa69b0d1860b0f0
Powered by blists - more mailing lists