Linux Kernel KVM x86 Instruction Intercept Vulnerability During Userspace I/O Emulation

A vulnerability in the Linux kernel's KVM module for x86 architecture has been addressed. The issue arose because, when emulating instructions that caused a userspace exit for I/O, KVM incorrectly rechecked L1 intercepts. This was problematic because KVM had already completed that phase of execution and allowed L2 to perform I/O. If L1 or the host's userspace altered the I/O permission bitmaps during the exit, KVM would mistakenly intercept the access, even though the I/O had already been emulated. This vulnerability could lead to KVM failing to properly complete the emulation of I/O instructions, as demonstrated by a syzkaller program that manipulated port I/O interception during the exit, causing a warning about unprocessed I/O emulation.

Impact

The vulnerability could cause KVM to improperly manage I/O emulation, potentially leading to incorrect behavior in virtualized environments.

Reproduction

The vulnerability can be reproduced by using a syzkaller program that toggles port I/O interception during the exit from userspace, which will result in KVM not completing the emulation of the I/O instruction as expected.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.