CVE-2023-53663

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-53663
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53663.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53663
Downstream
Published
2025-10-07T15:21:22Z
Modified
2025-10-21T18:15:22.196064Z
Summary
KVM: nSVM: Check instead of asserting on nested TSC scaling support
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Check instead of asserting on nested TSC scaling support

Check for nested TSC scaling support on nested SVM VMRUN instead of asserting that TSC scaling is exposed to L1 if L1's MSRAMD64TSCRATIO has diverged from KVM's default. Userspace can trigger the WARN at will by writing the MSR and then updating guest CPUID to hide the feature (modifying guest CPUID is allowed anytime before KVMRUN). E.g. hacking KVM's state_test selftest to do

    vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);
    vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);

after restoring state in a new VM+vCPU yields an endless supply of:

------------[ cut here ]------------ WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699 nestedvmcb02preparecontrol+0x3d6/0x3f0 [kvmamd] Call Trace: <TASK> entersvmguestmode+0x114/0x560 [kvmamd] nestedsvmvmrun+0x260/0x330 [kvmamd] vmruninterception+0x29/0x30 [kvmamd] svminvokeexithandler+0x35/0x100 [kvmamd] svmhandleexit+0xe7/0x180 [kvmamd] kvmarchvcpuioctlrun+0x1eab/0x2570 [kvm] kvmvcpuioctl+0x4c9/0x5b0 [kvm] _sesysioctl+0x7a/0xc0 _x64sysioctl+0x21/0x30 dosyscall64+0x41/0x90 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x45ca1b

Note, the nested #VMEXIT path has the same flaw, but needs a different fix and will be handled separately.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5228eb96a4875f8cf5d61d486e3795ac14df8904
Fixed
6c1ecfea1daf6e75c46e295aad99dfbafd878897
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5228eb96a4875f8cf5d61d486e3795ac14df8904
Fixed
02b24270568f65dd607c4a848512dc8055b4491b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5228eb96a4875f8cf5d61d486e3795ac14df8904
Fixed
7cafe9b8e22bb3d77f130c461aedf6868c4aaf58

Affected versions

v5.*

v5.15
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.5.1
v6.5.2
v6.5.3

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.54
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.5.4