Linux Kernel KVM MMIO SPTE Handling Vulnerability in x86 MMU

A vulnerability in the Linux kernel's KVM module for x86 architecture has been addressed. The issue arose when installing an emulated Memory-Mapped Input/Output (MMIO) Single Page Table Entry (SPTE). The vulnerability occurred because the existing shadow-present SPTE was not properly cleared before the new MMIO SPTE was installed. This oversight could lead to improper handling of guest memory, particularly if the host modified the memory management settings. As a result, KVM could inadvertently introduce an MMIO SPTE while leaving a shadow-present SPTE intact, potentially causing inconsistencies during memory access operations.

Impact

The vulnerability could lead to stale or inconsistent page table entries, allowing for improper handling of memory accesses in virtualized environments. This could disrupt the expected behavior of guest virtual machines, particularly in scenarios involving emulated MMIO operations.

Reproduction

The vulnerability can be reproduced by modifying a shadowed guest Page Table Entry (gPTE) from a memory slot to emulated MMIO using host userspace. If the guest then encounters a relevant page fault, KVM will install the MMIO SPTE without first clearing the shadow-present SPTE, leading to the described inconsistency.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.