CVE-2024-55881 - Linux Kernel KVM x86 Vulnerability in Complete_Hypercall_Exit() Resolved

Content: A new vulnerability within the Linux kernel has been resolved, specifically affecting the KVM (Kernel-based Virtual Machine) x86 subsystem. The x86 is an instruction set architecture and is crucial in the functioning of most consumer hardware and software infrastructure.

The vulnerability has been found in the complete_hypercall_exit() function. The fix for this issue pertains to appropriately handling protected guests, such as those using AMD's SEV (Secure Encrypted Virtualization) technology, SEV-ES (Encrypted State), and SEV-SNP (Secure Nested Paging).

The updated implementation utilizes is_64_bit_hypercall() instead of is_64_bit_mode() for detecting a 64-bit hypercall during its completion. The need for this change is due to the unavailability of vCPU (virtual Central Processing Unit) state information that would typically be used by KVM to identify the 64-bit mode. When it comes to protected guests and their associated states, KVM must assume the hypercall is made in a 64-bit mode.

This vulnerability was discovered when executing the sev_smoke_test self-test, which was modified to generate a KVM_HC_MAP_GPA_RANGE hypercall through VMGEXIT. Upon running the test, a warning was triggered, providing valuable information about the root cause of the vulnerability.

Refer to the original patch submission and discussion for additional technical information

- Patch submission: https://lore.kernel.org/kvm/e73915d55c36fef8a1024e4a2c878d2a767a20bc.1628115291.git.alexander.willner@mailbox.org/
- Patch discussion: https://lkml.org/lkml/2022/1/6/315

Before

static inline void complete_hypercall_exit(struct kvm_vcpu *vcpu)
{
	bool 64bit = is_64_bit_mode(vcpu);

	if (unlikely(64bit != vcpu->arch.hypercall.ret_64_bit))
		WARN_ON_ONCE(1);
}

After

static inline void complete_hypercall_exit(struct kvm_vcpu *vcpu)
{
	bool 64bit = is_64_bit_hypercall(vcpu);

	if (unlikely(64bit != vcpu->arch.hypercall.ret_64_bit))
		WARN_ON_ONCE(1);
}

In conclusion, the Linux kernel has addressed this vulnerability in the complete_hypercall_exit() function, by properly detecting a 64-bit hypercall for guests with protected states. It is recommended to apply the latest kernel updates to ensure system security and avoid potential exploits that might take advantage of this vulnerability.

Timeline

Published on: 01/11/2025 13:15:28 UTC
Last modified on: 01/20/2025 06:22:15 UTC