CVE-2024-53135

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support
for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are
myriad bugs in the implementation, some of which are fatal to the guest,
and others which put the stability and health of the host at risk.

For guest fatalities, the most glaring issue is that KVM fails to ensure
tracing is disabled, and *stays* disabled prior to VM-Enter, which is
necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing
is enabled (enforced via a VMX consistency check). Per the SDM:

If the logical processor is operating with Intel PT enabled (if
IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load
IA32_RTIT_CTL" VM-entry control must be 0.

On the host side, KVM doesn't validate the guest CPUID configuration
provided by userspace, and even worse, uses the guest configuration to
decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring
guest CPUID to enumerate more address ranges than are supported in hardware
will result in KVM trying to passthrough, save, and load non-existent MSRs,
which generates a variety of WARNs, ToPA ERRORs in the host, a potential
deadlock, etc.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: VMX: oculta la virtualización de Intel PT (modo invitado/host) detrás de CONFIG_BROKEN Oculta el parámetro del módulo pt_mode de KVM detrás de CONFIG_BROKEN, es decir, deshabilita la compatibilidad con la virtualización de Intel PT a través del modo invitado/host a menos que BROKEN=y. Hay una gran cantidad de errores en la implementación, algunos de los cuales son fatales para el invitado y otros que ponen en riesgo la estabilidad y la salud del host. Para las fatalidades del invitado, el problema más evidente es que KVM no garantiza que el seguimiento esté deshabilitado y *permanece* deshabilitado antes de VM-Enter, lo que es necesario ya que el hardware no permite cargar RTIT_CTL (del invitado) si el seguimiento está habilitado (lo que se aplica a través de una verificación de consistencia de VMX). Según el SDM: si el procesador lógico está funcionando con Intel PT habilitado (si IA32_RTIT_CTL.TraceEn = 1) en el momento de la entrada de la VM, el control de entrada de la VM "cargar IA32_RTIT_CTL" debe ser 0. En el lado del host, KVM no valida la configuración de CPUID del invitado proporcionada por el espacio de usuario y, lo que es peor, utiliza la configuración del invitado para decidir qué MSR guardar/cargar en VM-Enter y VM-Exit. Por ejemplo, configurar la CPUID del invitado para enumerar más rangos de direcciones de los que admite el hardware hará que KVM intente pasar, guardar y cargar MSR inexistentes, lo que genera una variedad de WARN, ERRORES ToPA en el host, un posible bloqueo, etc.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-11-19 CVE Reserved
2024-12-04 CVE Published
2024-12-17 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/f99e3daf94ff35dd4a878d32ff66e1fd35223ad6	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/c3742319d021f5aa3a0a8c828485fee14753f6de	2024-12-14
https://git.kernel.org/stable/c/d4b42f926adcce4e5ec193c714afd9d37bba8e5b	2024-12-14
https://git.kernel.org/stable/c/b8a1d572478b6f239061ee9578b2451bf2f021c2	2024-12-14
https://git.kernel.org/stable/c/e6716f4230a8784957273ddd27326264b27b9313	2024-11-22
https://git.kernel.org/stable/c/d28b059ee4779b5102c5da6e929762520510e406	2024-11-22
https://git.kernel.org/stable/c/b91bb0ce5cd7005b376eac690ec664c1b56372ec	2024-11-22
https://git.kernel.org/stable/c/aa0d42cacf093a6fcca872edc954f6f812926a17	2024-11-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.4.287 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.4.287"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.10.231 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.10.231"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.15.174 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.15.174"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.1.119 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.1.119"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.6.63 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.6.63"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.11.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.11.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.12"		en		Affected