| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Drop WARNs that assert a triple fault never \"escapes\" from L2\n\nRemove WARNs that sanity check that KVM never lets a triple fault for L2\nescape and incorrectly end up in L1. In normal operation, the sanity\ncheck is perfectly valid, but it incorrectly assumes that it's impossible\nfor userspace to induce KVM_REQ_TRIPLE_FAULT without bouncing through\nKVM_RUN (which guarantees kvm_check_nested_state() will see and handle\nthe triple fault).\n\nThe WARN can currently be triggered if userspace injects a machine check\nwhile L2 is active and CR4.MCE=0. And a future fix to allow save/restore\nof KVM_REQ_TRIPLE_FAULT, e.g. so that a synthesized triple fault isn't\nlost on migration, will make it trivially easy for userspace to trigger\nthe WARN.\n\nClearing KVM_REQ_TRIPLE_FAULT when forcibly leaving guest mode is\ntempting, but wrong, especially if/when the request is saved/restored,\ne.g. if userspace restores events (including a triple fault) and then\nrestores nested state (which may forcibly leave guest mode). Ignoring\nthe fact that KVM doesn't currently provide the necessary APIs, it's\nuserspace's responsibility to manage pending events during save/restore.\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 1399 at arch/x86/kvm/vmx/nested.c:4522 nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 7 PID: 1399 Comm: state_test Not tainted 5.17.0-rc3+ #808\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:nested_vmx_vmexit+0x7fe/0xd90 [kvm_intel]\n Call Trace:\n <TASK>\n vmx_leave_nested+0x30/0x40 [kvm_intel]\n vmx_set_nested_state+0xca/0x3e0 [kvm_intel]\n kvm_arch_vcpu_ioctl+0xf49/0x13e0 [kvm]\n kvm_vcpu_ioctl+0x4b9/0x660 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n </TASK>\n ---[ end trace 0000000000000000 ]---" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "arch/x86/kvm/svm/nested.c", |
| "arch/x86/kvm/vmx/nested.c" |
| ], |
| "versions": [ |
| { |
| "version": "cb6a32c2b8777ad31a02e585584d869251a790e3", |
| "lessThan": "8d3a2aa0976f57320ba89baf9d57fb158dd0cd0d", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "cb6a32c2b8777ad31a02e585584d869251a790e3", |
| "lessThan": "f476a59d5c86c02a79eef893c6da86735f2977ac", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "cb6a32c2b8777ad31a02e585584d869251a790e3", |
| "lessThan": "7de373c9b48229e428ecdb8fbde269c5a8617fd2", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "cb6a32c2b8777ad31a02e585584d869251a790e3", |
| "lessThan": "45846661d10422ce9e22da21f8277540b29eca22", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "arch/x86/kvm/svm/nested.c", |
| "arch/x86/kvm/vmx/nested.c" |
| ], |
| "versions": [ |
| { |
| "version": "5.13", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.13", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.45", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.17.13", |
| "lessThanOrEqual": "5.17.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.18.2", |
| "lessThanOrEqual": "5.18.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.19", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.15.45" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.17.13" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.18.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.13", |
| "versionEndExcluding": "5.19" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/8d3a2aa0976f57320ba89baf9d57fb158dd0cd0d" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f476a59d5c86c02a79eef893c6da86735f2977ac" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/7de373c9b48229e428ecdb8fbde269c5a8617fd2" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/45846661d10422ce9e22da21f8277540b29eca22" |
| } |
| ], |
| "title": "KVM: x86: Drop WARNs that assert a triple fault never \"escapes\" from L2", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2022-49559", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
