lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2025052038-reheat-upstroke-8d44@gregkh>
Date: Tue, 20 May 2025 16:00:05 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Juergen Gross <jgross@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: CVE-2022-49933: KVM: VMX: Reset eVMCS controls in VP assist page
 during hardware disabling

On Sat, May 17, 2025 at 07:26:58AM +0200, Juergen Gross wrote:
> On 02.05.25 17:54, Greg Kroah-Hartman wrote:
> > From: Greg Kroah-Hartman <gregkh@...nel.org>
> > 
> > Description
> > ===========
> > 
> > In the Linux kernel, the following vulnerability has been resolved:
> > 
> > KVM: VMX: Reset eVMCS controls in VP assist page during hardware disabling
> > 
> > Reset the eVMCS controls in the per-CPU VP assist page during hardware
> > disabling instead of waiting until kvm-intel's module exit.  The controls
> > are activated if and only if KVM creates a VM, i.e. don't need to be
> > reset if hardware is never enabled.
> > 
> > Doing the reset during hardware disabling will naturally fix a potential
> > NULL pointer deref bug once KVM disables CPU hotplug while enabling and
> > disabling hardware (which is necessary to fix a variety of bugs).  If the
> > kernel is running as the root partition, the VP assist page is unmapped
> > during CPU hot unplug, and so KVM's clearing of the eVMCS controls needs
> > to occur with CPU hot(un)plug disabled, otherwise KVM could attempt to
> > write to a CPU's VP assist page after it's unmapped.
> > 
> > The Linux kernel CVE team has assigned CVE-2022-49933 to this issue.
> 
> Is this really a security issue?
> 
> I don't see how an unprivileged user could trigger the mentioned NULL deref,
> as it requires CPU hotunplug (can't be triggered by user) to happen in parallel
> with unloading the kvm module (can't be triggered by user either).

Now rejected, thanks for the review!  This came in from the big "GSD
import" which is why it is for an old issue like this.

thanks again,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ