CVE-2021-46978 - pub/scm/linux/kernel/git/sashal/vulns-desc - Git at Google

 The vulnerability, tracked as CVE-2021-46978, is related to the KVM (Kernel-based Virtual Machine) component in the Linux kernel. Specifically, it affects the nested virtualization feature, which allows a hypervisor to run inside a guest virtual machine.

 When enlightened VMCS (Virtual-Machine Control Structure) is used and the nested state is migrated using `vmx_get_nested_state()` and `vmx_set_nested_state()`, KVM may fail to map the eVMCS page immediately. This is because the eVMCS GPA (Guest Physical Address) is not a `struct kvm_vmx_nested_state_hdr` and cannot be read from the VP assist page, as userspace may restore the HV_X64_MSR_VP_ASSIST_PAGE after restoring the nested state.

 To ensure that eVMCS is mapped, `vmx_set_nested_state()` raises a `KVM_REQ_GET_NESTED_STATE_PAGES` request. However, when an immediate exit from L2 to L1 occurs right after migration (e.g., due to a pending event), the MSR permission bitmap may not be switched correctly.

 The commit that introduced this issue, `f2c7ef3ba955`, added clearing of `KVM_REQ_GET_NESTED_STATE_PAGES` in `nested_vmx_vmexit()` to prevent the MSR permission bitmap from being switched incorrectly. However, this fix is incomplete, as it does not ensure that eVMCS is mapped correctly.

 The vulnerability was introduced in Linux kernel versions 5.10.13, 5.11, and fixed in versions 5.10.38, 5.11.22, 5.12.5, and 5.13. The affected file is `arch/x86/kvm/vmx/nested.c`. The recommended mitigation is to update to the latest stable kernel version.
	The vulnerability, tracked as CVE-2021-46978, is related to the KVM (Kernel-based Virtual Machine) component in the Linux kernel. Specifically, it affects the nested virtualization feature, which allows a hypervisor to run inside a guest virtual machine.

	When enlightened VMCS (Virtual-Machine Control Structure) is used and the nested state is migrated using `vmx_get_nested_state()` and `vmx_set_nested_state()`, KVM may fail to map the eVMCS page immediately. This is because the eVMCS GPA (Guest Physical Address) is not a `struct kvm_vmx_nested_state_hdr` and cannot be read from the VP assist page, as userspace may restore the HV_X64_MSR_VP_ASSIST_PAGE after restoring the nested state.

	To ensure that eVMCS is mapped, `vmx_set_nested_state()` raises a `KVM_REQ_GET_NESTED_STATE_PAGES` request. However, when an immediate exit from L2 to L1 occurs right after migration (e.g., due to a pending event), the MSR permission bitmap may not be switched correctly.

	The commit that introduced this issue, `f2c7ef3ba955`, added clearing of `KVM_REQ_GET_NESTED_STATE_PAGES` in `nested_vmx_vmexit()` to prevent the MSR permission bitmap from being switched incorrectly. However, this fix is incomplete, as it does not ensure that eVMCS is mapped correctly.

	The vulnerability was introduced in Linux kernel versions 5.10.13, 5.11, and fixed in versions 5.10.38, 5.11.22, 5.12.5, and 5.13. The affected file is `arch/x86/kvm/vmx/nested.c`. The recommended mitigation is to update to the latest stable kernel version.