Linux Kernel KVM Shadow Paging Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's KVM module for x86 architecture, specifically within the shadow paging mechanism. This issue arises when the guest page tables are altered between VM entries, leading to a mismatch in the Guest Frame Number (GFN) calculations. The vulnerability allows for the potential dereferencing of freed memory, which can be exploited through operations that trigger a stale reverse mapping walk, such as dirty logging or certain memory management notifications.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, where a program continues to use memory that has already been freed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by creating a virtual machine with a guest operating system that uses large (2MB) page mappings. Once the VM is running, modify the guest's page tables to change the mapping. After this change, access another page within the same 2MB area. KVM will then install a new shadow page table entry (SPTE) using the updated mapping, but this entry will reference a GFN that is outside the expected range. When the original 2MB mapping is deleted, the corresponding KVM memory management unit (MMU) page will be zapped, but the reverse mapping entry will be stale, leading to the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.