Linux Kernel KVM Nested SVM NextRIP Handling Vulnerability

A vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) nested SVM (Secure Virtual Machine) implementation has been addressed. The issue arises for guests with NRIPS (Non-Return Instruction Pointer) disabled, where the hypervisor (L1) fails to provide the NextRIP value when an L2 guest is running with an injected soft interrupt. Instead, it advances the current RIP (Instruction Pointer) before execution. KVM compensates by using the current RIP as the NextRIP in vmcb02, emulating a CPU without NRIPS. However, after the first L2 VMRUN, the CPU and/or KVM updates the NextRIP, making the initial RIP value incorrect for vmcb02. The vulnerability has been fixed by ensuring that, after saving and restoring state, the current RIP is used only when a nested run is pending; otherwise, the NextRIP is utilized. This adjustment also applies to the soft_int_next_rip variable, which serves a similar purpose in a more specific context.

Impact

Exploitation of this vulnerability could lead to incorrect handling of the NextRIP value in nested virtualization scenarios, potentially causing mismanagement of instruction execution flow for injected soft interrupts.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the Linux kernel's official website.