| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120843-CVE-2023-53756-f234@gregkh> Date: Mon, 8 Dec 2025 10:19:55 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53756: KVM: VMX: Fix crash due to uninitialized current_vmcs From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Fix crash due to uninitialized current_vmcs KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as a nested hypervisor on top of Hyper-V. When MSR bitmap is updated, evmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark that the msr bitmap was changed. vmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr -> vmx_msr_bitmap_l01_changed which in the end calls this function. The function checks for current_vmcs if it is null but the check is insufficient because current_vmcs is not initialized. Because of this, the code might incorrectly write to the structure pointed by current_vmcs value left by another task. Preemption is not disabled, the current task can be preempted and moved to another CPU while current_vmcs is accessed multiple times from evmcs_touch_msr_bitmap() which leads to crash. The manipulation of MSR bitmaps by callers happens only for vmcs01 so the solution is to use vmx->vmcs01.vmcs instead of current_vmcs. BUG: kernel NULL pointer dereference, address: 0000000000000338 PGD 4e1775067 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI ... RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel] ... Call Trace: vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel] vmx_vcpu_create+0xe6/0x540 [kvm_intel] kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm] kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm] kvm_vm_ioctl+0x53f/0x790 [kvm] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The Linux kernel CVE team has assigned CVE-2023-53756 to this issue. Affected and fixed versions =========================== Issue introduced in 4.18 with commit ceef7d10dfb6284d512c499292e6daa35ea83f90 and fixed in 5.10.175 with commit 6baebcecf09acd19e2bab1c2911dcdba5d48a1dc Issue introduced in 4.18 with commit ceef7d10dfb6284d512c499292e6daa35ea83f90 and fixed in 5.15.103 with commit 6e7bc50f97c9855da83f1478f722590defd45ff2 Issue introduced in 4.18 with commit ceef7d10dfb6284d512c499292e6daa35ea83f90 and fixed in 6.1.16 with commit b2de2b4d4e007f9add46ea8dc06f781835e3ea9f Issue introduced in 4.18 with commit ceef7d10dfb6284d512c499292e6daa35ea83f90 and fixed in 6.2.3 with commit 3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4 Issue introduced in 4.18 with commit ceef7d10dfb6284d512c499292e6daa35ea83f90 and fixed in 6.3 with commit 93827a0a36396f2fd6368a54a020f420c8916e9b Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53756 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/kvm/vmx/hyperv.h arch/x86/kvm/vmx/vmx.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2 https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4 https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b
Powered by blists - more mailing lists