Linux Kernel CR4 FRED Bit Vulnerability in x86 Architecture

A vulnerability exists in the Linux kernel's handling of the CR4 FRED bit on x86 CPUs, specifically in versions 6.12 and later. The issue arises because the FRED bit is initialized at boot on the Bootstrap Processor (BSP) before being set on Application Processors (APs), creating a window where exceptions cannot be managed. This problem is exacerbated for guests using AMD's SEV-ES, SEV-SNP, or Intel's TDX, as they may trigger exceptions during this unhandled period, leading to a triple fault. The vulnerability allows for manipulation of the online bit in writable memory, which can disable CR4 pinning and certain security features, causing further system instability.

Impact

Exploitation of this vulnerability can disrupt normal exception handling, particularly for virtual machines using AMD's SEV-ES, SEV-SNP, or Intel's TDX, potentially leading to a triple fault and system crash.

Reproduction

The vulnerability can be reproduced by running a virtual machine with an AMD SEV-ES or SEV-SNP guest, or an Intel TDX guest, on a system with a vulnerable Linux kernel. During the boot process, the FRED bit will be initialized on the BSP before the APs, creating a brief period where exceptions cannot be handled. If the guest manages to trigger an exception during this window, it will result in a triple fault due to the FRED Model Specific Registers (MSRs) not being properly set up yet.

Remediation

Users can upgrade to a patched version of the Linux kernel that removes the FRED bit from the CR4 pinning mask, eliminating the vulnerability. The latest stable version can be downloaded from the official Linux kernel website.