cve/published/2021/CVE-2021-47092.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47092: KVM: VMX: Always clear vmx->fail on emulation_required

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: VMX: Always clear vmx->fail on emulation_required

 Revert a relatively recent change that set vmx->fail if the vCPU is in L2
 and emulation_required is true, as that behavior is completely bogus.
 Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong:

   (a) it's impossible to have both a VM-Fail and VM-Exit
   (b) vmcs.EXIT_REASON is not modified on VM-Fail
   (c) emulation_required refers to guest state and guest state checks are
       always VM-Exits, not VM-Fails.

 For KVM specifically, emulation_required is handled before nested exits
 in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect,
 i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored.
 Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit()
 firing when tearing down the VM as KVM never expects vmx->fail to be set
 when L2 is active, KVM always reflects those errors into L1.

   ------------[ cut here ]------------
   WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548
                                 nested_vmx_vmexit+0x16bd/0x17e0
                                 arch/x86/kvm/vmx/nested.c:4547
   Modules linked in:
   CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
   RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547
   Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80
   Call Trace:
    vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline]
    nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330
    vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799
    kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989
    kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441
    kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline]
    kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545
    kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline]
    kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220
    kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489
    __fput+0x3fc/0x870 fs/file_table.c:280
    task_work_run+0x146/0x1c0 kernel/task_work.c:164
    exit_task_work include/linux/task_work.h:32 [inline]
    do_exit+0x705/0x24f0 kernel/exit.c:832
    do_group_exit+0x168/0x2d0 kernel/exit.c:929
    get_signal+0x1740/0x2120 kernel/signal.c:2852
    arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868
    handle_signal_work kernel/entry/common.c:148 [inline]
    exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
    exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207
    __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
    syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300
    do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86
    entry_SYSCALL_64_after_hwframe+0x44/0xae

 The Linux kernel CVE team has assigned CVE-2021-47092 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit c8607e4a086fae05efe5bffb47c5199c65e7216e and fixed in 5.15.12 with commit e4e4e7cb229821cd215031abc47efdab5486a67c
 	Issue introduced in 5.15 with commit c8607e4a086fae05efe5bffb47c5199c65e7216e and fixed in 5.16 with commit a80dfc025924024d2c61a4c1b8ef62b2fce76a04

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47092
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/vmx/vmx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e4e4e7cb229821cd215031abc47efdab5486a67c
 	https://git.kernel.org/stable/c/a80dfc025924024d2c61a4c1b8ef62b2fce76a04
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47092: KVM: VMX: Always clear vmx->fail on emulation_required

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: VMX: Always clear vmx->fail on emulation_required

	Revert a relatively recent change that set vmx->fail if the vCPU is in L2
	and emulation_required is true, as that behavior is completely bogus.
	Setting vmx->fail and synthesizing a VM-Exit is contradictory and wrong:

	(a) it's impossible to have both a VM-Fail and VM-Exit
	(b) vmcs.EXIT_REASON is not modified on VM-Fail
	(c) emulation_required refers to guest state and guest state checks are
	always VM-Exits, not VM-Fails.

	For KVM specifically, emulation_required is handled before nested exits
	in __vmx_handle_exit(), thus setting vmx->fail has no immediate effect,
	i.e. KVM calls into handle_invalid_guest_state() and vmx->fail is ignored.
	Setting vmx->fail can ultimately result in a WARN in nested_vmx_vmexit()
	firing when tearing down the VM as KVM never expects vmx->fail to be set
	when L2 is active, KVM always reflects those errors into L1.

	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 21158 at arch/x86/kvm/vmx/nested.c:4548
	nested_vmx_vmexit+0x16bd/0x17e0
	arch/x86/kvm/vmx/nested.c:4547
	Modules linked in:
	CPU: 0 PID: 21158 Comm: syz-executor.1 Not tainted 5.16.0-rc3-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	RIP: 0010:nested_vmx_vmexit+0x16bd/0x17e0 arch/x86/kvm/vmx/nested.c:4547
	Code: <0f> 0b e9 2e f8 ff ff e8 57 b3 5d 00 0f 0b e9 00 f1 ff ff 89 e9 80
	Call Trace:
	vmx_leave_nested arch/x86/kvm/vmx/nested.c:6220 [inline]
	nested_vmx_free_vcpu+0x83/0xc0 arch/x86/kvm/vmx/nested.c:330
	vmx_free_vcpu+0x11f/0x2a0 arch/x86/kvm/vmx/vmx.c:6799
	kvm_arch_vcpu_destroy+0x6b/0x240 arch/x86/kvm/x86.c:10989
	kvm_vcpu_destroy+0x29/0x90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:441
	kvm_free_vcpus arch/x86/kvm/x86.c:11426 [inline]
	kvm_arch_destroy_vm+0x3ef/0x6b0 arch/x86/kvm/x86.c:11545
	kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1189 [inline]
	kvm_put_kvm+0x751/0xe40 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1220
	kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3489
	__fput+0x3fc/0x870 fs/file_table.c:280
	task_work_run+0x146/0x1c0 kernel/task_work.c:164
	exit_task_work include/linux/task_work.h:32 [inline]
	do_exit+0x705/0x24f0 kernel/exit.c:832
	do_group_exit+0x168/0x2d0 kernel/exit.c:929
	get_signal+0x1740/0x2120 kernel/signal.c:2852
	arch_do_signal_or_restart+0x9c/0x730 arch/x86/kernel/signal.c:868
	handle_signal_work kernel/entry/common.c:148 [inline]
	exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
	exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:207
	__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
	syscall_exit_to_user_mode+0x2e/0x70 kernel/entry/common.c:300
	do_syscall_64+0x53/0xd0 arch/x86/entry/common.c:86
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	The Linux kernel CVE team has assigned CVE-2021-47092 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit c8607e4a086fae05efe5bffb47c5199c65e7216e and fixed in 5.15.12 with commit e4e4e7cb229821cd215031abc47efdab5486a67c
	Issue introduced in 5.15 with commit c8607e4a086fae05efe5bffb47c5199c65e7216e and fixed in 5.16 with commit a80dfc025924024d2c61a4c1b8ef62b2fce76a04

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47092
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/vmx/vmx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e4e4e7cb229821cd215031abc47efdab5486a67c
	https://git.kernel.org/stable/c/a80dfc025924024d2c61a4c1b8ef62b2fce76a04