Linux Kernel KVM Nested MMU Array Reassignment Vulnerability

A vulnerability exists in the Linux kernel's KVM (Kernel-based Virtual Machine) module for arm64 architecture, specifically in the management of nested memory management unit (MMU) structures. The issue arises because the nested MMU array is accessed under the MMU lock, including during MMU notifier operations, which can occur unpredictably. When the KVM virtual CPU initialization function reallocates the nested MMU array, it frees the old buffer while only holding a different lock, potentially allowing other processes to reference the now-freed memory. This vulnerability could lead to use-after-free errors. The problem has been addressed by changing the allocation process to occur outside of the MMU lock, allowing the reallocation to be safely managed without risking memory corruption.

Impact

Exploitation of this vulnerability could lead to use-after-free conditions, where a program continues to use memory after it has been freed, potentially causing crashes or allowing for arbitrary code execution.

Reproduction

To reproduce this vulnerability, initialize a KVM virtual CPU on an arm64 system and trigger the MMU notifier path that unmaps guest frame numbers. This will access the nested MMU array under the MMU lock. Then, initiate the KVM virtual CPU initialization process, which will reallocate the nested MMU array and free the old buffer while only holding the configuration lock. This sequence can create a race condition where the MMU notifier references the freed memory, leading to a use-after-free vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.