Linux Kernel KVM Nested TSC Multiplier State Management Vulnerability

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) module has been addressed. This issue pertains to the nested SVM (Secure Virtual Machine) handling of the TSC (Time Stamp Counter) multiplier. The vulnerability arose because the emulation of nested VM-exits incorrectly relied on the TSC multiplier state of the second-level (L2) virtual machine, rather than the first-level (L1) state. This flaw allowed userspace to manipulate the TSC scaling feature visibility, triggering warnings that could be exploited. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to incorrect TSC scaling management in nested virtual machine environments, potentially causing timing-related issues or inconsistencies.

Reproduction

The vulnerability can be reproduced by writing a specific value to the TSC ratio MSR (Model Specific Register) and then updating the guest CPUID to conceal the TSC scaling feature. This can be done by modifying KVM's state test self-test to include the appropriate vCPU MSR and CPUID feature adjustments. After these modifications, restoring the KVM state in a new virtual machine and vCPU will generate repeated warnings, indicating the TSC scaling issue.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.