Linux Kernel KVM: arm64 ID Register Initialization Vulnerability in Non-Protected pKVM Guests

A vulnerability exists in the Linux kernel's KVM for arm64 architecture, specifically in the handling of ID register initialization for non-protected pKVM guests. In protected mode, the hypervisor manages a distinct 'kvm' structure for each virtual machine (VM). However, for non-protected VMs, this structure is derived from the host's 'kvm' state. The issue arises because the function 'pkvm_init_features_from_host()' transfers the 'KVM_ARCH_FLAG_ID_REGS_INITIALIZED' flag from the host without properly initializing the corresponding 'id_regs' data. This discrepancy causes the hypervisor to incorrectly perceive the flag as active while the ID registers remain uninitialized. As a result, feature detection logic fails for non-protected VMs, leading to improper handling of certain system registers during critical operations, which could cause state corruption.

Impact

The vulnerability disrupts the correct initialization and management of ID registers for non-protected VMs, causing failures in feature detection and improper handling of key system registers during VM operations, potentially leading to state corruption.

Reproduction

The vulnerability can be reproduced by running a non-protected pKVM guest on an arm64 architecture. During the VM's initialization, the 'KVM_ARCH_FLAG_ID_REGS_INITIALIZED' flag is copied from the host without the associated ID registers being properly set up. This can be verified by checking the 'kvm_has_feat()' function's response at EL2, which will indicate a failure in recognizing certain features that rely on the correct ID register initialization.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.