| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU\n\nZap both valid and invalid roots when zapping/unmapping a gfn range, as\nKVM must ensure it holds no references to the freed page after returning\nfrom the unmap operation. Most notably, the TDP MMU doesn't zap invalid\nroots in mmu_notifier callbacks. This leads to use-after-free and other\nissues if the mmu_notifier runs to completion while an invalid root\nzapper yields as KVM fails to honor the requirement that there must be\n_no_ references to the page after the mmu_notifier returns.\n\nThe bug is most easily reproduced by hacking KVM to cause a collision\nbetween set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug\nexists between kvm_mmu_notifier_invalidate_range_start() and memslot\nupdates as well. Invalidating a root ensures pages aren't accessible by\nthe guest, and KVM won't read or write page data itself, but KVM will\ntrigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing\na zap of an invalid root _after_ the mmu_notifier returns is fatal.\n\n WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]\n RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]\n Call Trace:\n <TASK>\n kvm_set_pfn_dirty+0xa8/0xe0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n __handle_changed_spte+0x2ab/0x5e0 [kvm]\n zap_gfn_range+0x1f3/0x310 [kvm]\n kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]\n kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]\n set_nx_huge_pages+0xb4/0x190 [kvm]\n param_attr_store+0x70/0x100\n module_attr_store+0x19/0x30\n kernfs_fop_write_iter+0x119/0x1b0\n new_sync_write+0x11c/0x1b0\n vfs_write+0x1cc/0x270\n ksys_write+0x5f/0xe0\n do_syscall_64+0x38/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n </TASK>" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "arch/x86/kvm/mmu/tdp_mmu.c" |
| ], |
| "versions": [ |
| { |
| "version": "b7cccd397f310739fb85383033e95580f99927e0", |
| "lessThan": "af47248407c0c5ae52a752af1ab5ce5b0db91502", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "b7cccd397f310739fb85383033e95580f99927e0", |
| "lessThan": "0c8a8da182d4333d9bbb9131d765145568c847b2", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "b7cccd397f310739fb85383033e95580f99927e0", |
| "lessThan": "8cf6f98ab1d16d5e607635a0c21c4231eb15367e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "b7cccd397f310739fb85383033e95580f99927e0", |
| "lessThan": "d62007edf01f5c11f75d0f4b1e538fc52a5b1982", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "arch/x86/kvm/mmu/tdp_mmu.c" |
| ], |
| "versions": [ |
| { |
| "version": "5.13", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.13", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.33", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.16.19", |
| "lessThanOrEqual": "5.16.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.17.2", |
| "lessThanOrEqual": "5.17.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.18", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.15.33" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.16.19" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.17.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.18" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/af47248407c0c5ae52a752af1ab5ce5b0db91502" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/0c8a8da182d4333d9bbb9131d765145568c847b2" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/8cf6f98ab1d16d5e607635a0c21c4231eb15367e" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d62007edf01f5c11f75d0f4b1e538fc52a5b1982" |
| } |
| ], |
| "title": "KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2021-47639", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
