Linux Kernel KVM SVM Vulnerability: Improper Handling of System Management Mode During VCPU Shutdown Interception

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) module for SVM (Secure Virtual Machine) has been addressed. The issue arose because, after a vCPU (virtual Central Processing Unit) SHUTDOWN interception, KVM did not properly exit System Management Mode (SMM), leading to a warning being triggered. This vulnerability was reproduced using Syzkaller by creating a KVM virtual machine and vCPU, entering SMM, and then executing invalid instructions that caused exceptions and a triple fault. The vulnerability could lead to use-after-free scenarios, similar to a previously addressed issue with nested mode.

Impact

The vulnerability could cause a warning to be issued when KVM attempts to reset a vCPU that is in SMM, potentially leading to improper handling of the vCPU state.

Reproduction

The vulnerability can be reproduced by creating a KVM virtual machine and vCPU, sending a KVM_SMI ioctl to enter SMM, and then executing invalid instructions that cause exceptions, leading to a triple fault. This process triggers a warning when KVM forces the vCPU to reset, as the CPU should not be in SMM during such an operation.