Linux Kernel KVM SVM INT3 INTO Instruction Handling Vulnerability

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) SVM (Secure Virtual Machine) module has been addressed. The issue arose when re-injecting soft interrupts from INT3, INT0, or other INTn instructions. The vulnerability occurred because the exception was not properly discarded and the instruction was not retried if the code stream had changed (for example, due to a different virtual CPU) between the execution and the decoding of the instruction. This oversight could lead to incorrect guest state management by misinterpreting the instruction and setting an incorrect RIP (Instruction Pointer) value. The problem frequently caused 'Oops: int3' panics during static branch checks in Linux guest systems. The vulnerability could be reproduced by modifying the guest kernel to repeatedly check a static branch while simultaneously running a script on the host that disrupted the guest's task state segment (TSS) memory.

Impact

The vulnerability could cause guest kernel panics in Linux virtual machines, particularly during static branch checks, due to incorrect handling of soft interrupts.

Reproduction

The vulnerability can be reproduced by patching the guest kernel to frequently check a static branch. Simultaneously, run a script on the host that continuously replaces the memory containing the guest's TSS. This combination will quickly trigger the 'Oops: int3' panic in the guest kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.