Linux Kernel KVM FPU State Management Vulnerability Leading to Out-of-Bounds Writes

A vulnerability in the Linux kernel's KVM module for x86 architecture has been identified, related to the management of the guest Floating Point Unit (FPU) state. The issue arises because KVM sets the user ABI size of the guest FPU to a value that can exceed the historical default, leading to out-of-bounds writes and data corruption. This problem occurs when the guest FPU state is saved for userspace on hosts that do not support XSAVE, such as Core2 CPUs. The out-of-bounds writes are detected by the Kernel Address Sanitizer (KASAN), indicating a memory access violation.

Impact

Exploitation of this vulnerability causes out-of-bounds memory writes, leading to data corruption. The erroneous writes are within a memory region that is monitored by KASAN, which catches the violation before it can cause further damage.

Reproduction

The vulnerability can be reproduced by running a virtual machine on a host that does not support XSAVE, such as a machine with a Core2 CPU. When the VM is migrated to a host that does support XSAVE, the FPU state may be incompatible, causing issues during the migration process.