Linux Kernel KVM SVM CR8 Write Interception Vulnerability

A vulnerability in the Linux kernel's KVM SVM module relates to improper management of CR8 write interception when AVIC is activated or deactivated. This issue can lead to a performance degradation and, more critically, cause synchronization problems with the Task Priority Register (TPR) for Windows virtual machine guests. The vulnerability arises because KVM fails to clear CR8 write interception after AVIC is activated, leaving it enabled indefinitely. While this dangling interception is primarily a performance concern, it becomes detrimental for Windows guests as the TPR, which is crucial for managing interrupts, becomes misaligned with the actual state, potentially disrupting the guest's operation. The issue is not present in VMX, as APICv active environments do not require such interception.

Impact

The unresolved CR8 write interception can cause severe disruption to Windows virtual machine guests by desynchronizing the TPR with the actual state, leading to improper interrupt management.

Reproduction

To reproduce this vulnerability, activate AVIC in a KVM SVM environment and then deactivate it while CR8 write interception remains active. This can be done by emulating an INIT followed by a Write-Flush (WFS) operation while AVIC is turned off. The CR8 write interception will then remain active indefinitely, creating a performance issue that can be observed in the guest's interrupt handling.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.