CVE-2021-47230

{"id": "CVE-2021-47230", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.3}]}, "published": "2024-05-21T15:15:12.400", "references": [{"url": "https://git.kernel.org/stable/c/669a8866e468fd020d34eb00e08cb41d3774b71b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/78fcb2c91adfec8ce3a2ba6b4d0dda89f2f4a7c6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cbb425f62df9df7abee4b3f068f7ed6ffc3561e2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/df9a40cfb3be2cbeb1c17bb67c59251ba16630f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Immediately reset the MMU context when the SMM flag is cleared\n\nImmediately reset the MMU context when the vCPU's SMM flag is cleared so\nthat the SMM flag in the MMU role is always synchronized with the vCPU's\nflag. If RSM fails (which isn't correctly emulated), KVM will bail\nwithout calling post_leave_smm() and leave the MMU in a bad state.\n\nThe bad MMU role can lead to a NULL pointer dereference when grabbing a\nshadow page's rmap for a page fault as the initial lookups for the gfn\nwill happen with the vCPU's SMM flag (=0), whereas the rmap lookup will\nuse the shadow page's SMM flag, which comes from the MMU (=1). SMM has\nan entirely different set of memslots, and so the initial lookup can find\na memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1).\n\n general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline]\n RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947\n Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44\n RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002\n R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000\n R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000\n FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline]\n mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604\n __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline]\n direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769\n kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline]\n kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065\n vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122\n vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428\n vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494\n kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722\n kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:1069 [inline]\n __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055\n do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x440ce9"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: restablece inmediatamente el contexto de MMU cuando se borra el indicador SMM Restablece inmediatamente el contexto de MMU cuando se borra el indicador SMM de la vCPU para que el indicador SMM en la funci\u00f3n MMU est\u00e9 siempre sincronizado con el indicador de la vCPU. Si RSM falla (que no se emula correctamente), KVM se retirar\u00e1 sin llamar a post_leave_smm() y dejar\u00e1 la MMU en mal estado. La funci\u00f3n incorrecta de MMU puede provocar una desreferencia del puntero NULL al tomar el rmap de una p\u00e1gina oculta para una falla de p\u00e1gina, ya que las b\u00fasquedas iniciales para gfn se realizar\u00e1n con el indicador SMM de la vCPU (=0), mientras que la b\u00fasqueda de rmap utilizar\u00e1 el SMM de la p\u00e1gina oculta. bandera, que proviene de la MMU (=1). SMM tiene un conjunto de ranuras de memoria completamente diferente, por lo que la b\u00fasqueda inicial puede encontrar una ranura de memoria (SMM=0) y luego explotar en la b\u00fasqueda de ranura de memoria de rmap (SMM=1). falla de protecci\u00f3n general, probablemente para direcci\u00f3n no can\u00f3nica 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref en rango [0x0000000000000000-0x00000000000000007] CPU: 1 PID: 8410 Comm: No contaminado 5.13.0 -rc5-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [en l\u00ednea] RIP: 0010: gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947 C\u00f3digo: &lt;42&gt; 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44 RSP:ffffc90000ffe f98 EFLAGS : 00010246 RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40 RDX: 00000000000000000 RSI: 0000000000000001 RDI: 00000000000 00001 RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002 R10: ffffed10065a6002 R11: 00000000000000000 R12: dffffc0000000000 R13: 0000000000003 R14: 0000000000000001 R15: 0000000000000000 FS: 000000000124b300 (0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 8e31000 CR4: 00000000001526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas: rmap_add arch/x86/kvm/mmu/mmu.c:965 [en l\u00ednea] mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604 __direct_map arch/x86/kvm/mmu/mmu. c:2862 [en l\u00ednea] direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769 kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [en l\u00ednea] kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/ mmu/mmu.c:5065 vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122 vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428 vcpu_run+0x416/0xc20 arch/x86/ kvm/x86.c:9494 kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722 kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c :3460 vfs_ioctl fs/ioctl.c:51 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:1069 [en l\u00ednea] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055 do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c :47 entrada_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x440ce9"}], "lastModified": "2024-07-03T01:37:24.797", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}