Linux Kernel KVM VMX Hyper-V Nested Hypervisor Crash Vulnerability

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) module can lead to a crash when running as a nested hypervisor on top of Hyper-V. This issue arises from the 'Enlightened VMCS' and 'Enlightened MSR Bitmap' features. When the MSR (Model Specific Register) bitmap is updated, the function responsible for handling this change uses a per-CPU variable to reference the current VMCS. However, this variable can be uninitialized, leading to a NULL pointer dereference. The problem is exacerbated by the fact that task preemption is not disabled, allowing the current task to be interrupted and moved to another CPU, where the uninitialized variable is accessed multiple times, causing a crash.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a system crash.

Reproduction

To reproduce this vulnerability, enable KVM with 'Enlightened VMCS' and 'Enlightened MSR Bitmap' support, and run as a nested hypervisor on Hyper-V. When the MSR bitmap is modified, the uninitialized 'current_vmcs' variable can be accessed, leading to a crash.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.