Linux Kernel KVM: arm64 Debug Checking Vulnerability in Non-Protected Guests with Huge Mappings

A vulnerability in the Linux kernel's KVM for arm64 architecture has been addressed. The issue arose when running with transparent huge pages and the CONFIG_NVHE_EL2_DEBUG option enabled. Under these conditions, the debug verification in the assert_host_shared_guest() function incorrectly assumed that memory mappings were single pages, leading to a kernel panic. This panic occurred because the debug check failed when launching a non-protected guest, causing a WARN_ON() message and a stack trace that highlighted the issue. The vulnerability has been fixed by modifying the debug check to accommodate block mappings, ensuring that the size is not explicitly verified but correctly assumed. The same adjustment was also applied in the __pkvm_host_mkyoung_guest() function.

Impact

The vulnerability could cause a kernel panic, disrupting the system's operation by halting the kernel's execution and stopping secondary CPUs, according to the reported stack trace.

Reproduction

The vulnerability can be reproduced by running a non-protected guest virtual machine on an arm64 host with transparent huge pages enabled and the CONFIG_NVHE_EL2_DEBUG option turned on. This combination triggers the debug check in assert_host_shared_guest(), leading to a kernel panic. The issue can be observed in the KVM nVHE hypervisor, where the debug checking fails, causing a crash that can be traced back to the incorrect handling of memory mappings.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel's official website.