Linux Kernel KVM Nested EPT/NPT Hypercall Handling Vulnerability

A vulnerability in the Linux kernel's KVM component for x86 architecture has been addressed. The issue arose in the handling of slow flush hypercalls, where the check for nested EPT/NPT was incorrectly based on the guest mode of the virtual CPU. This misalignment could lead to improper translation of nested guest physical addresses, potentially causing issues in memory management for virtual machines. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability could lead to incorrect handling of nested virtualization features, potentially causing memory management issues in virtual machines.

Reproduction

The vulnerability can be reproduced by running a virtual machine with nested virtualization enabled, and then invoking slow flush hypercalls. The incorrect handling of the hypercalls will manifest as improper translation of nested guest physical addresses, which could disrupt memory management for the virtual machine.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been fixed.