In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVMGETMPSTATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLEFAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->checknestedevents(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triplefaulteventtest selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpumpstateget() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pilockdepfalsepos-lock #3 Not tainted ----------------------------- include/linux/kvmhost.h:1058 suspicious rcudereferencecheck() usage! other info that might help us debug this: rcuscheduleractive = 2, debuglocks = 1 1 lock held by triplefaultev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvmvcpuioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triplefaultev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dumpstacklvl+0x7f/0x90 lockdeprcususpicious+0x144/0x190 kvmvcpugfntomemslot+0x156/0x180 [kvm] kvmvcpureadguest+0x3e/0x90 [kvm] readandcheckmsrentry+0x2e/0x180 [kvmintel] _nestedvmxvmexit+0x550/0xde0 [kvmintel] kvmchecknestedevents+0x1b/0x30 [kvm] kvmapicacceptevents+0x33/0x100 [kvm] kvmarchvcpuioctlgetmpstate+0x30/0x1d0 [kvm] kvmvcpuioctl+0x33e/0x9a0 [kvm] _x64sysioctl+0x8b/0xb0 dosyscall64+0x6c/0x170 entrySYSCALL64after_hwframe+0x4b/0x53 </TASK>
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "6.14.0-1005.5", "binary_name": "linux-buildinfo-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-headers-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-image-unsigned-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-image-unsigned-6.14.0-1005-oem-dbgsym" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-modules-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-modules-ipu6-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-modules-ipu7-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-modules-iwlwifi-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-modules-usbio-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-modules-vision-6.14.0-1005-oem" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-oem-6.14-headers-6.14.0-1005" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-oem-6.14-tools-6.14.0-1005" }, { "binary_version": "6.14.0-1005.5", "binary_name": "linux-tools-6.14.0-1005-oem" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "7.6.0+6.14.0-22.22", "binary_name": "bpftool" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-bpf-dev" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-buildinfo-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-buildinfo-6.14.0-22-generic-64k" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-cloud-tools-6.14.0-22" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-cloud-tools-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-cloud-tools-common" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-doc" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-headers-6.14.0-22" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-headers-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-headers-6.14.0-22-generic-64k" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-image-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-image-6.14.0-22-generic-dbgsym" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-image-unsigned-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-image-unsigned-6.14.0-22-generic-64k" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-image-unsigned-6.14.0-22-generic-64k-dbgsym" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-image-unsigned-6.14.0-22-generic-dbgsym" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-lib-rust-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-libc-dev" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-6.14.0-22-generic-64k" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-extra-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-ipu6-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-ipu7-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-iwlwifi-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-usbio-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-modules-vision-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-perf" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-source-6.14.0" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-tools-6.14.0-22" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-tools-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-tools-6.14.0-22-generic-64k" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-tools-common" }, { "binary_version": "6.14.0-22.22", "binary_name": "linux-tools-host" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "6.14.0-1007.7", "binary_name": "linux-azure-cloud-tools-6.14.0-1007" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-azure-headers-6.14.0-1007" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-azure-tools-6.14.0-1007" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-buildinfo-6.14.0-1007-azure" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-cloud-tools-6.14.0-1007-azure" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-headers-6.14.0-1007-azure" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-image-unsigned-6.14.0-1007-azure" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-image-unsigned-6.14.0-1007-azure-dbgsym" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-modules-6.14.0-1007-azure" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-modules-extra-6.14.0-1007-azure" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-tools-6.14.0-1007-azure" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "6.14.0-1008.8", "binary_name": "linux-buildinfo-6.14.0-1008-gcp" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-buildinfo-6.14.0-1008-gcp-64k" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-gcp-headers-6.14.0-1008" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-gcp-tools-6.14.0-1008" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-headers-6.14.0-1008-gcp" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-headers-6.14.0-1008-gcp-64k" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-image-unsigned-6.14.0-1008-gcp" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-image-unsigned-6.14.0-1008-gcp-64k" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-image-unsigned-6.14.0-1008-gcp-64k-dbgsym" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-image-unsigned-6.14.0-1008-gcp-dbgsym" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-modules-6.14.0-1008-gcp" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-modules-6.14.0-1008-gcp-64k" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-modules-extra-6.14.0-1008-gcp" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-modules-extra-6.14.0-1008-gcp-64k" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-tools-6.14.0-1008-gcp" }, { "binary_version": "6.14.0-1008.8", "binary_name": "linux-tools-6.14.0-1008-gcp-64k" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "6.14.0-1007.7", "binary_name": "linux-buildinfo-6.14.0-1007-raspi" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-headers-6.14.0-1007-raspi" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-image-6.14.0-1007-raspi" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-image-6.14.0-1007-raspi-dbgsym" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-modules-6.14.0-1007-raspi" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-raspi-headers-6.14.0-1007" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-raspi-tools-6.14.0-1007" }, { "binary_version": "6.14.0-1007.7", "binary_name": "linux-tools-6.14.0-1007-raspi" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "6.14.0-1004.4", "binary_name": "linux-buildinfo-6.14.0-1004-realtime" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-cloud-tools-6.14.0-1004-realtime" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-headers-6.14.0-1004-realtime" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-image-unsigned-6.14.0-1004-realtime" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-image-unsigned-6.14.0-1004-realtime-dbgsym" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-modules-6.14.0-1004-realtime" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-modules-extra-6.14.0-1004-realtime" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-modules-iwlwifi-6.14.0-1004-realtime" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-realtime-cloud-tools-6.14.0-1004" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-realtime-headers-6.14.0-1004" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-realtime-tools-6.14.0-1004" }, { "binary_version": "6.14.0-1004.4", "binary_name": "linux-tools-6.14.0-1004-realtime" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-buildinfo-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-headers-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-image-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-image-6.14.0-22-generic-dbgsym" }, { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-modules-6.14.0-22-generic" }, { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-riscv-headers-6.14.0-22" }, { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-riscv-tools-6.14.0-22" }, { "binary_version": "6.14.0-22.22.1", "binary_name": "linux-tools-6.14.0-22-generic" } ] }