Linux Kernel KVM SVM VM-Exit Handler Vulnerability

A vulnerability in the Linux kernel's KVM SVM module has been addressed. The issue arose because the VM-Exit handler was not properly validating the next instruction pointer (RIP) before executing certain fastpath operations. This lack of validation could lead to incorrect emulation of instructions, particularly when the CPU did not provide the next RIP, requiring the handler to read guest memory. Such memory access could cause faults or delays, disrupting the expected execution flow, especially since the fastpath handlers operate with interrupts disabled. The vulnerability was characterized by a bug report indicating that a sleeping function was called from an invalid context, violating the non-blocking requirements of the fastpath operations.

Impact

The vulnerability could cause the VM-Exit handler to improperly manage instruction emulation, potentially leading to execution errors or disruptions in virtual machine performance.

Reproduction

The vulnerability can be reproduced by configuring KVM to run with the 'nrips' option set to false, which prevents the CPU from providing the next RIP during VM-Exit. When a virtual machine is then executed, the VM-Exit handler will attempt to skip certain instructions using the fastpath, but will encounter issues due to the missing RIP, leading to faults or delays as it tries to read guest memory through the emulator.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the updated kernel can be found on the official Linux kernel website.