cve/published/2024/CVE-2024-39483.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-39483: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked

 When requesting an NMI window, WARN on vNMI support being enabled if and
 only if NMIs are actually masked, i.e. if the vCPU is already handling an
 NMI.  KVM's ABI for NMIs that arrive simultanesouly (from KVM's point of
 view) is to inject one NMI and pend the other.  When using vNMI, KVM pends
 the second NMI simply by setting V_NMI_PENDING, and lets the CPU do the
 rest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected).

 However, if KVM can't immediately inject an NMI, e.g. because the vCPU is
 in an STI shadow or is running with GIF=0, then KVM will request an NMI
 window and trigger the WARN (but still function correctly).

 Whether or not the GIF=0 case makes sense is debatable, as the intent of
 KVM's behavior is to provide functionality that is as close to real
 hardware as possible.  E.g. if two NMIs are sent in quick succession, the
 probability of both NMIs arriving in an STI shadow is infinitesimally low
 on real hardware, but significantly larger in a virtual environment, e.g.
 if the vCPU is preempted in the STI shadow.  For GIF=0, the argument isn't
 as clear cut, because the window where two NMIs can collide is much larger
 in bare metal (though still small).

 That said, KVM should not have divergent behavior for the GIF=0 case based
 on whether or not vNMI support is enabled.  And KVM has allowed
 simultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400
 ("KVM: Fix simultaneous NMIs").  I.e. KVM's GIF=0 handling shouldn't be
 modified without a *really* good reason to do so, and if KVM's behavior
 were to be modified, it should be done irrespective of vNMI support.

 The Linux kernel CVE team has assigned CVE-2024-39483 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit fa4c027a7956f5e07697bfcb580d25eeb8471257 and fixed in 6.6.34 with commit f79edaf7370986d73d204b36c50cc563a4c0f356
 	Issue introduced in 6.4 with commit fa4c027a7956f5e07697bfcb580d25eeb8471257 and fixed in 6.9.5 with commit 1d87cf2eba46deaff6142366127f2323de9f84d1
 	Issue introduced in 6.4 with commit fa4c027a7956f5e07697bfcb580d25eeb8471257 and fixed in 6.10 with commit b4bd556467477420ee3a91fbcba73c579669edc6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-39483
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/svm/svm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f79edaf7370986d73d204b36c50cc563a4c0f356
 	https://git.kernel.org/stable/c/1d87cf2eba46deaff6142366127f2323de9f84d1
 	https://git.kernel.org/stable/c/b4bd556467477420ee3a91fbcba73c579669edc6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-39483: KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked

	When requesting an NMI window, WARN on vNMI support being enabled if and
	only if NMIs are actually masked, i.e. if the vCPU is already handling an
	NMI. KVM's ABI for NMIs that arrive simultanesouly (from KVM's point of
	view) is to inject one NMI and pend the other. When using vNMI, KVM pends
	the second NMI simply by setting V_NMI_PENDING, and lets the CPU do the
	rest (hardware automatically sets V_NMI_BLOCKING when an NMI is injected).

	However, if KVM can't immediately inject an NMI, e.g. because the vCPU is
	in an STI shadow or is running with GIF=0, then KVM will request an NMI
	window and trigger the WARN (but still function correctly).

	Whether or not the GIF=0 case makes sense is debatable, as the intent of
	KVM's behavior is to provide functionality that is as close to real
	hardware as possible. E.g. if two NMIs are sent in quick succession, the
	probability of both NMIs arriving in an STI shadow is infinitesimally low
	on real hardware, but significantly larger in a virtual environment, e.g.
	if the vCPU is preempted in the STI shadow. For GIF=0, the argument isn't
	as clear cut, because the window where two NMIs can collide is much larger
	in bare metal (though still small).

	That said, KVM should not have divergent behavior for the GIF=0 case based
	on whether or not vNMI support is enabled. And KVM has allowed
	simultaneous NMIs with GIF=0 for over a decade, since commit 7460fb4a3400
	("KVM: Fix simultaneous NMIs"). I.e. KVM's GIF=0 handling shouldn't be
	modified without a really good reason to do so, and if KVM's behavior
	were to be modified, it should be done irrespective of vNMI support.

	The Linux kernel CVE team has assigned CVE-2024-39483 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit fa4c027a7956f5e07697bfcb580d25eeb8471257 and fixed in 6.6.34 with commit f79edaf7370986d73d204b36c50cc563a4c0f356
	Issue introduced in 6.4 with commit fa4c027a7956f5e07697bfcb580d25eeb8471257 and fixed in 6.9.5 with commit 1d87cf2eba46deaff6142366127f2323de9f84d1
	Issue introduced in 6.4 with commit fa4c027a7956f5e07697bfcb580d25eeb8471257 and fixed in 6.10 with commit b4bd556467477420ee3a91fbcba73c579669edc6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-39483
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/svm/svm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f79edaf7370986d73d204b36c50cc563a4c0f356
	https://git.kernel.org/stable/c/1d87cf2eba46deaff6142366127f2323de9f84d1
	https://git.kernel.org/stable/c/b4bd556467477420ee3a91fbcba73c579669edc6