Linux Kernel KVM IRQFD Routing Clobbering Vulnerability

A vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) module, specifically related to the handling of IRQFD (interrupt request file descriptor) routing. When deassigning an IRQFD, the kernel improperly overwrites the IRQ's routing entry, which can disrupt the expected behavior of certain functions on x86 and arm64 architectures. This issue arises because the clobbering process does not account for concurrent routing updates, potentially leading to the use of outdated routing information. The vulnerability is particularly problematic on AMD systems, where it can cause a NULL pointer dereference, while on Intel and arm64, it may result in IRQs being incorrectly posted to a vCPU after deassignment.

Impact

The vulnerability can cause list corruption, leading to a kernel NULL pointer dereference on AMD systems, or allow IRQs to be incorrectly posted to a vCPU on Intel and arm64 systems, causing disruptions in virtual machine operations.

Reproduction

The vulnerability can be reproduced by deassigning a KVM_IRQFD while concurrent routing updates are in progress. This can be done by manipulating IRQFDs in a way that triggers the deassignment process before the routing information has been properly synchronized, particularly on AMD systems where the issue is most pronounced.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.