Linux Kernel PEBS Mismanagement Vulnerability in KVM Guests

A vulnerability exists in the Linux kernel's handling of Processor Event-Based Sampling (PEBS) for KVM guests. When the PEBS_ENABLE value is loaded for a guest virtual CPU, it should be masked with the guest's desired PEBS_ENABLE setting. However, the current implementation only considers the host kernel's masks, leading to situations where PEBS is enabled for the guest even when not requested. This mismanagement can cause crashes in the guest environment, particularly when certain MSR values are not properly set, resulting in a flood of page faults. The issue arises from a misunderstanding in the userspace 'perf' tool, which can inadvertently enable PEBS for guest-only events, a scenario that KVM cannot properly manage.

Impact

Enabling PEBS against the guest's wishes can cause system crashes due to an overwhelming number of page faults, especially if the guest has not configured certain processor registers, such as the DS_AREA MSR.

Reproduction

The vulnerability can be reproduced by running 'perf kvm top' from a state prior to a specific kernel commit that disabled PEBS for KVM guests. This command will create a guest-only PEBS event that the KVM virtualization layer misinterprets, leading to the unintended enabling of PEBS for the guest.