Linux Kernel VTL0 Memory Registration Vulnerability in mshv_vtl Driver Allows Exceeding Maximum Folio Order

A vulnerability in the Linux kernel's mshv_vtl driver can lead to improper memory handling when registering VTL0 memory. The issue arises because the kernel calculates the vmemmap_shift parameter based on the number of trailing zeros in the physical range's page frame numbers (PFNs). This calculation aims to align with the largest compound page order. However, the shift value is not restricted to the maximum allowed folio order, allowing certain aligned ranges to generate a shift that exceeds what the memremap_pages function can handle. This discrepancy triggers a warning and an error, indicating an unsupported folio size. The vulnerability has been addressed by clamping the vmemmap_shift to the maximum folio order, ensuring that only valid page sizes are requested. Additionally, the error handling has been improved to accurately reflect the actual error codes from the memory remapping function, rather than using a generic fault code that obscured the real issue.

Impact

Exceeding the maximum folio order during memory remapping can disrupt proper memory management, potentially leading to undefined behavior or system instability.

Reproduction

To reproduce this vulnerability, register VTL0 memory through the MSHV_ADD_VTL0_MEMORY command, using a physical range that is sufficiently aligned and corresponds to a start_pfn with a high number of trailing zeros. This will cause the vmemmap_shift to exceed the maximum folio order, triggering the warning and error response from the memremap_pages function.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.