Linux Kernel KVM Nested TSC Scaling Support Vulnerability

A vulnerability in the Linux kernel's KVM module for nested SVM (Secure Virtual Machine) has been addressed. The issue involved improper handling of nested TSC (Time Stamp Counter) scaling support during VMRUN operations. Instead of correctly checking for TSC scaling, the system asserted that the feature was available to the guest if the MSR (Model Specific Register) value had diverged from the default. This flaw could be exploited by userspace to trigger a warning by manipulating the MSR and guest CPUID, effectively hiding the TSC scaling feature. The vulnerability was characterized by a warning message generated in response to the incorrect assertion, indicating a potential flaw in the handling of nested virtualization features.

Impact

Exploitation of this vulnerability could lead to incorrect handling of nested virtualization features, potentially causing instability or unexpected behavior in virtual machines.

Reproduction

The vulnerability can be reproduced by writing a value of 0 to the MSR_AMD64_TSC_RATIO, which disables TSC scaling, and then updating the guest CPUID to hide the TSC scaling feature. This can be done using KVM's state_test selftest by modifying the virtual CPU's MSR and CPUID features before the VMRUN operation. After these changes, the nested SVM VMRUN will generate a warning, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.