CVE-2022-48763

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Forcibly leave nested virt when SMM state is toggled

Forcibly leave nested virtualization operation if userspace toggles SMM state via KVMSETVCPUEVENTS or KVMSYNCX86EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmxentersmm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated.

Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVMSETVCPUEVENTS must precede KVMSETNESTEDSTATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active.

Abuse of KVMSETVCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state.

WARNING: CPU: 0 PID: 3606 at freeloadedvmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at freeloadedvmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:freeloadedvmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:freeloadedvmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: <TASK> kvmarchvcpudestroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvmvcpudestroy arch/x86/kvm/../../../virt/kvm/kvmmain.c:441 [inline] kvmdestroyvcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvmmain.c:460 kvmfreevcpus arch/x86/kvm/x86.c:11564 [inline] kvmarchdestroyvm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvmdestroyvm arch/x86/kvm/../../../virt/kvm/kvmmain.c:1217 [inline] kvmputkvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvmmain.c:1250 kvmvmrelease+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvmmain.c:1273 _fput+0x286/0x9f0 fs/filetable.c:311 taskworkrun+0xdd/0x1a0 kernel/taskwork.c:164 exittaskwork include/linux/taskwork.h:32 [inline] doexit+0xb29/0x2a30 kernel/exit.c:806 dogroupexit+0xd2/0x2f0 kernel/exit.c:935 getsignal+0x4b0/0x28c0 kernel/signal.c:2862 archdosignalorrestart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handlesignalwork kernel/entry/common.c:148 [inline] exittousermodeloop kernel/entry/common.c:172 [inline] exittousermodeprepare+0x17d/0x290 kernel/entry/common.c:207 _syscallexittousermodework kernel/entry/common.c:289 [inline] syscallexittousermode+0x19/0x60 kernel/entry/common.c:300 dosyscall64+0x42/0xb0 arch/x86/entry/common.c:86 entrySYSCALL64after_hwframe+0x44/0xae </TASK>