cve/published/2024/CVE-2024-53196.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-53196: KVM: arm64: Don't retire aborted MMIO instruction

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: arm64: Don't retire aborted MMIO instruction

 Returning an abort to the guest for an unsupported MMIO access is a
 documented feature of the KVM UAPI. Nevertheless, it's clear that this
 plumbing has seen limited testing, since userspace can trivially cause a
 WARN in the MMIO return:

   WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536
   Call trace:
    kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536
    kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133
    kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487
    __do_sys_ioctl fs/ioctl.c:51 [inline]
    __se_sys_ioctl fs/ioctl.c:893 [inline]
    __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893
    __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
    invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
    el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132
    do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
    el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712
    el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730
    el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

 The splat is complaining that KVM is advancing PC while an exception is
 pending, i.e. that KVM is retiring the MMIO instruction despite a
 pending synchronous external abort. Womp womp.

 Fix the glaring UAPI bug by skipping over all the MMIO emulation in
 case there is a pending synchronous exception. Note that while userspace
 is capable of pending an asynchronous exception (SError, IRQ, or FIQ),
 it is still safe to retire the MMIO instruction in this case as (1) they
 are by definition asynchronous, and (2) KVM relies on hardware support
 for pending/delivering these exceptions instead of the software state
 machine for advancing PC.

 The Linux kernel CVE team has assigned CVE-2024-53196 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.1.120 with commit 6af853cf5f897d55f42e9166f4db50e84e404fb3
 	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.6.66 with commit ea6b5d98fea4ee8cb443ea98fda520909e90d30e
 	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.11.11 with commit 1e46460efe1ef9a31748de7675ff8fe0d8601af2
 	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.12.2 with commit d0571c3add987bcb69c2ffd7a70c998bf8ce60fb
 	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.13 with commit e735a5da64420a86be370b216c269b5dd8e830e2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-53196
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm64/kvm/mmio.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6af853cf5f897d55f42e9166f4db50e84e404fb3
 	https://git.kernel.org/stable/c/ea6b5d98fea4ee8cb443ea98fda520909e90d30e
 	https://git.kernel.org/stable/c/1e46460efe1ef9a31748de7675ff8fe0d8601af2
 	https://git.kernel.org/stable/c/d0571c3add987bcb69c2ffd7a70c998bf8ce60fb
 	https://git.kernel.org/stable/c/e735a5da64420a86be370b216c269b5dd8e830e2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-53196: KVM: arm64: Don't retire aborted MMIO instruction

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: arm64: Don't retire aborted MMIO instruction

	Returning an abort to the guest for an unsupported MMIO access is a
	documented feature of the KVM UAPI. Nevertheless, it's clear that this
	plumbing has seen limited testing, since userspace can trivially cause a
	WARN in the MMIO return:

	WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536
	Call trace:
	kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536
	kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133
	kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487
	__do_sys_ioctl fs/ioctl.c:51 [inline]
	__se_sys_ioctl fs/ioctl.c:893 [inline]
	__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893
	__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
	invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
	el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132
	do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
	el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712
	el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730
	el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

	The splat is complaining that KVM is advancing PC while an exception is
	pending, i.e. that KVM is retiring the MMIO instruction despite a
	pending synchronous external abort. Womp womp.

	Fix the glaring UAPI bug by skipping over all the MMIO emulation in
	case there is a pending synchronous exception. Note that while userspace
	is capable of pending an asynchronous exception (SError, IRQ, or FIQ),
	it is still safe to retire the MMIO instruction in this case as (1) they
	are by definition asynchronous, and (2) KVM relies on hardware support
	for pending/delivering these exceptions instead of the software state
	machine for advancing PC.

	The Linux kernel CVE team has assigned CVE-2024-53196 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.1.120 with commit 6af853cf5f897d55f42e9166f4db50e84e404fb3
	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.6.66 with commit ea6b5d98fea4ee8cb443ea98fda520909e90d30e
	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.11.11 with commit 1e46460efe1ef9a31748de7675ff8fe0d8601af2
	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.12.2 with commit d0571c3add987bcb69c2ffd7a70c998bf8ce60fb
	Issue introduced in 5.5 with commit da345174ceca052469e4775e4ae263b5f27a9355 and fixed in 6.13 with commit e735a5da64420a86be370b216c269b5dd8e830e2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-53196
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm64/kvm/mmio.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6af853cf5f897d55f42e9166f4db50e84e404fb3
	https://git.kernel.org/stable/c/ea6b5d98fea4ee8cb443ea98fda520909e90d30e
	https://git.kernel.org/stable/c/1e46460efe1ef9a31748de7675ff8fe0d8601af2
	https://git.kernel.org/stable/c/d0571c3add987bcb69c2ffd7a70c998bf8ce60fb
	https://git.kernel.org/stable/c/e735a5da64420a86be370b216c269b5dd8e830e2