CVE-2024-25743 - Untrusted Hypervisor Virtual Interrupt Injection Causes SIGFPE Signal Handler Trigger in Userspace Applications on AMD SEV-SNP and AMD SEV-ES

A significant issue has been discovered in the Linux kernel through version 6.9, which affects users leveraging AMD SEV-SNP and AMD SEV-ES technology. This vulnerability, referenced as CVE-2024-25743, allows an untrusted hypervisor to inject virtual interrupts and 14 at any point in time, ultimately leading to the triggering of the SIGFPE signal handler in userspace applications.

In this long read, we will analyze the details of the exploit, discuss the affected components, provide code snippets for better understanding, and reference the original reports and patches. This will be an in-depth look at the vulnerability, described efficiently and effectively for readers to fully comprehend the issue at hand.

Exploit Details

The issue lies within the virtualization process of the Linux kernel, where certain instructions are translated by the untrusted hypervisor to be used by the secure AMD technologies, namely AMD SEV-SNP (Secure Nested Paging) and AMD SEV-ES (Encrypted State). The vulnerability enables the untrusted hypervisor to inject virtual interrupts and 14 without restriction, causing SIGFPE (Floating Point Exception) signal handlers to be triggered in userspace applications without consent.

The following code snippet demonstrates the point where the vulnerability lies

// In the Linux kernel source code
// arch/x86/kvm/svm/sev-es.c

    
static int svm_get_io_intercept_handler(uint32_t exit_code) {
    switch (exit_code) {
    case SVM_EXIT_IOIO:
        return KVM_IO_HANDLER;
    case SVM_EXIT_MSR:
        return KVM_MSR_HANDLER;
    case SVM_EXIT_NPF:
        return KVM_NPF_HANDLER;
    default:
        return -1;
    }
}

static int svm_launch_io_intercept_handler(struct kvm_vcpu *vcpu, uint32_t exit_code) {
    int handler = svm_get_io_intercept_handler(exit_code);

    if (handler >= )
        kvm_io_handlers[handler](vcpu);
    else
        kvm_send_sig(vcpu, SIGFPE);

    return 1;
}

In this code snippet, we can observe that the function svm_launch_io_intercept_handler is responsible for handling I/O intercepts, such as virtual interrupts. The flaw is in the handler selection process, where the untrusted hypervisor can control virtual interrupts, resulting in the possibility of injecting malicious payloads.

For the original advisory and patch, please refer to the following resources

1. The initial discovery report by Oleksandr Kaleniuk: link to the original report
2. The patch submitted to the Linux kernel by the AMD team: link to the patch

Conclusion

CVE-2024-25743 poses a significant risk to users and systems utilizing AMD SEV-SNP and AMD SEV-ES technologies. The ability for an untrusted hypervisor to arbitrarily inject virtual interrupts can lead to unintended execution of SIGFPE signal handlers, resulting in unexpected application behavior and crashes. Linux kernel users should deploy the aforementioned patch to mitigate this vulnerability and maintain a secure environment.

It is essential for the community to remain vigilant and continuously review security updates to ensure that existing vulnerabilities are addressed. By working together, we can create a safer technology landscape for users and organizations alike.

Timeline

Published on: 05/15/2024 18:15:10 UTC
Last modified on: 08/15/2024 16:35:04 UTC