Linux Kernel KVM SEV-ES Migration Vulnerability During VCPU Creation

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) module for AMD's SEV-ES (Secure Encrypted Virtualization-Encrypted State) can lead to instability when migrating virtual machines. The issue arises because the migration process does not account for virtual CPUs (vCPUs) that are actively being created. This can cause the destination VM to incorrectly recognize a vCPU as part of the SEV-ES environment, leading to potential crashes or other errors. The problem is most apparent when the system tries to release a vCPU that lacks a valid VMSA (Virtual Machine State Area) page, a situation that can trigger a page fault error. The vulnerability affects several versions of the Linux kernel, specifically those in the stable branch prior to the latest commit that addresses this issue.

Impact

Exploiting this vulnerability can cause the host system to crash, as it disrupts the proper management of virtual CPU states in SEV-ES virtual machines. This mismanagement can lead to page faults and other errors that destabilize the system.

Reproduction

To reproduce this vulnerability, initiate the creation of a virtual CPU in a source SEV-ES virtual machine. While this process is ongoing, attempt to migrate the SEV-ES state to a destination virtual machine that is also in the process of creating a vCPU. This will cause the destination VM to incorrectly handle the vCPU state, leading to a crash when the system tries to free the vCPU's NULL VMSA page.

Remediation

Users can update to the latest version of the Linux kernel in the stable branch, where this vulnerability has been addressed.