cve/published/2024/CVE-2024-46830.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46830: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

 Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly
 leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX
 reads guest memory.

 Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN
 via sync_regs(), which already holds SRCU.  I.e. trying to precisely use
 kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause
 problems.  Acquiring SRCU isn't all that expensive, so for simplicity,
 grab it unconditionally for KVM_SET_VCPU_EVENTS.

  =============================
  WARNING: suspicious RCU usage
  6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted
  -----------------------------
  include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!

  other info that might help us debug this:

  rcu_scheduler_active = 2, debug_locks = 1
  1 lock held by repro/1071:
   #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]

  stack backtrace:
  CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  Call Trace:
   <TASK>
   dump_stack_lvl+0x7f/0x90
   lockdep_rcu_suspicious+0x13f/0x1a0
   kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]
   kvm_vcpu_read_guest+0x3e/0x90 [kvm]
   nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]
   load_vmcs12_host_state+0x432/0xb40 [kvm_intel]
   vmx_leave_nested+0x30/0x40 [kvm_intel]
   kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]
   kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]
   ? mark_held_locks+0x49/0x70
   ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]
   ? kvm_vcpu_ioctl+0x497/0x970 [kvm]
   kvm_vcpu_ioctl+0x497/0x970 [kvm]
   ? lock_acquire+0xba/0x2d0
   ? find_held_lock+0x2b/0x80
   ? do_user_addr_fault+0x40c/0x6f0
   ? lock_release+0xb7/0x270
   __x64_sys_ioctl+0x82/0xb0
   do_syscall_64+0x6c/0x170
   entry_SYSCALL_64_after_hwframe+0x4b/0x53
  RIP: 0033:0x7ff11eb1b539
   </TASK>

 The Linux kernel CVE team has assigned CVE-2024-46830 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.1.110 with commit fa297c33faefe51e10244e8a378837fca4963228
 	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.6.51 with commit 939375737b5a0b1bf9b1e75129054e11bc9ca65e
 	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.10.10 with commit ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9
 	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.11 with commit 4bcdd831d9d01e0fb64faea50732b59b2ee88da1
 	Issue introduced in 5.10.97 with commit 080dbe7e9b86a0392d8dffc00d9971792afc121f
 	Issue introduced in 5.15.19 with commit e302786233e6bc512986d007c96458ccf5ca21c7
 	Issue introduced in 5.16.5 with commit b4c0d89c92e957ecccce12e66b63875d0cc7af7e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46830
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/x86.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228
 	https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e
 	https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9
 	https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2ee88da1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46830: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

	Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly
	leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX
	reads guest memory.

	Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN
	via sync_regs(), which already holds SRCU. I.e. trying to precisely use
	kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause
	problems. Acquiring SRCU isn't all that expensive, so for simplicity,
	grab it unconditionally for KVM_SET_VCPU_EVENTS.

	=============================
	WARNING: suspicious RCU usage
	6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted
	-----------------------------
	include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!

	other info that might help us debug this:

	rcu_scheduler_active = 2, debug_locks = 1
	1 lock held by repro/1071:
	#0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]

	stack backtrace:
	CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
	Call Trace:
	<TASK>
	dump_stack_lvl+0x7f/0x90
	lockdep_rcu_suspicious+0x13f/0x1a0
	kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]
	kvm_vcpu_read_guest+0x3e/0x90 [kvm]
	nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]
	load_vmcs12_host_state+0x432/0xb40 [kvm_intel]
	vmx_leave_nested+0x30/0x40 [kvm_intel]
	kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]
	kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]
	? mark_held_locks+0x49/0x70
	? kvm_vcpu_ioctl+0x7d/0x970 [kvm]
	? kvm_vcpu_ioctl+0x497/0x970 [kvm]
	kvm_vcpu_ioctl+0x497/0x970 [kvm]
	? lock_acquire+0xba/0x2d0
	? find_held_lock+0x2b/0x80
	? do_user_addr_fault+0x40c/0x6f0
	? lock_release+0xb7/0x270
	__x64_sys_ioctl+0x82/0xb0
	do_syscall_64+0x6c/0x170
	entry_SYSCALL_64_after_hwframe+0x4b/0x53
	RIP: 0033:0x7ff11eb1b539
	</TASK>

	The Linux kernel CVE team has assigned CVE-2024-46830 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.1.110 with commit fa297c33faefe51e10244e8a378837fca4963228
	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.6.51 with commit 939375737b5a0b1bf9b1e75129054e11bc9ca65e
	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.10.10 with commit ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9
	Issue introduced in 5.17 with commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb and fixed in 6.11 with commit 4bcdd831d9d01e0fb64faea50732b59b2ee88da1
	Issue introduced in 5.10.97 with commit 080dbe7e9b86a0392d8dffc00d9971792afc121f
	Issue introduced in 5.15.19 with commit e302786233e6bc512986d007c96458ccf5ca21c7
	Issue introduced in 5.16.5 with commit b4c0d89c92e957ecccce12e66b63875d0cc7af7e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46830
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/x86.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228
	https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e
	https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9
	https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2ee88da1