Linux Kernel KVM Hyper-V Non-Canonical Address TLB Flush Vulnerability

A vulnerability in the Linux kernel's KVM component for x86 architecture has been addressed. This issue arose in KVM guests with Hyper-V hypercalls enabled, where the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allowed guests to request invalidation of specific virtual TLB entries. The vulnerability occurred because non-canonical guest virtual addresses (GVAs) were not filtered out before being passed to Intel's INVVPID and AMD's INVLPGA instructions. While AMD's INVLPGA ignores non-canonical addresses, Intel's INVVPID triggers a VM-Fail error, indicating a failure in the TLB flush operation. Hyper-V documentation suggests that invalid GVAs should be ignored, and manual testing on Azure confirms that this is how 'real' Hyper-V behaves.

Impact

Exploitation of this vulnerability could lead to improper handling of TLB flush requests, particularly with non-canonical addresses, causing Intel's INVVPID to fail and generate an error, while AMD's INVLPGA would have no effect.

Reproduction

To reproduce this vulnerability, enable Hyper-V hypercalls in a KVM guest. Then, invoke the HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST or HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX hypercalls with a list that includes non-canonical guest virtual addresses. Observe that the non-canonical addresses are not filtered out and are passed to the INVVPID or INVLPGA instructions, depending on the CPU architecture.

Remediation

The vulnerability has been resolved by modifying the KVM hypervisor to skip non-canonical guest virtual addresses during the TLB flush process. Users should update to the latest version of the Linux kernel where this fix has been applied.