From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B4A32ED872 for ; Tue, 30 Dec 2025 12:25:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767097554; cv=none; b=IoV65XVeaHnbxe1j0eAuwa+XXlTsESk7GcVGxOs81wRbHT1VMrvNcvQsHtCYiSWFtX0qiBQ3BNBtVfAlyjof3eU/Wr3gL9uJvOZ5N8L14SLSgbD+EokisVI1mP2n0KTdJx9h0r03h7U3Z6q43Q2tJjLp8zEScoM08FwMPLjRGmE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767097554; c=relaxed/simple; bh=dGfP7H/00M3pmdFxnNXD3F88ljgvQ2Sa+rA3rcizrOI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=DoNt8dXBlmUgY58chSsc7QI0bQ+pv/bXZYzH56KB+6whxY3+B9M53ibfEf1YvMnTajj+rQcaHa4mJv/gSJglgxAiQZ1Hw5pu53jIOadhpDN4h/LEBn/jWVJ3ewrK02J/99ADXlzF8FaqxEWGzMJlzsxqulbwMGV1JBSansYxDs0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Ld4JRIb9; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Ld4JRIb9" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A7F79C4CEFB; Tue, 30 Dec 2025 12:25:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1767097554; bh=dGfP7H/00M3pmdFxnNXD3F88ljgvQ2Sa+rA3rcizrOI=; h=From:To:Cc:Subject:Date:Reply-To:From; b=Ld4JRIb91CWVwZZMdXlMQGZZxfE3SlAAeRPKn6H2IRh887SiDD419gYeFNL7K836P 43F9CmHZmof5RXYnSkdwg8xp5rGHUWEqXpqTDxgfiHSf0kpfMAQD5xzdhdMsNUudaX KD9/rD3+ondtLJhtq1pPThB1PNSvCyZWhxPBmHqI= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2023-54296: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Date: Tue, 30 Dec 2025 13:23:49 +0100 Message-ID: <2025123031-CVE-2023-54296-e667@gregkh> X-Mailer: git-send-email 2.52.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3908; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=TwKRYbxrvncQNqKn/eMm3kUwT3Vrv15lq31fogNaArQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDJnBR5xb++40C6fMO7NPXWV62/u595jX5mSL3WtcvbNs+ qGGc89Xd8SyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEdv1lmKf+gUFL3thP+8w5 /cfx91SbVz7TsmWYXy29wvcwn2GHTOINrwkvF1etPMA7DwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Fix a goof where KVM tries to grab source vCPUs from the destination VM when doing intrahost migration. Grabbing the wrong vCPU not only hoses the guest, it also crashes the host due to the VMSA pointer being left NULL. BUG: unable to handle page fault for address: ffffe38687000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151 Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023 RIP: 0010:__free_pages+0x15/0xd0 RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000 RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000 R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: sev_free_vcpu+0xcb/0x110 [kvm_amd] svm_vcpu_free+0x75/0xf0 [kvm_amd] kvm_arch_vcpu_destroy+0x36/0x140 [kvm] kvm_destroy_vcpus+0x67/0x100 [kvm] kvm_arch_destroy_vm+0x161/0x1d0 [kvm] kvm_put_kvm+0x276/0x560 [kvm] kvm_vm_release+0x25/0x30 [kvm] __fput+0x106/0x280 ____fput+0x12/0x20 task_work_run+0x86/0xb0 do_exit+0x2e3/0x9c0 do_group_exit+0xb1/0xc0 __x64_sys_exit_group+0x1b/0x20 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd CR2: ffffe38687000000 The Linux kernel CVE team has assigned CVE-2023-54296 to this issue. Affected and fixed versions =========================== Issue introduced in 5.19 with commit 6defa24d3b12bbd418bc8526dea1cbc605265c06 and fixed in 6.1.54 with commit 5c18ace750e4d4d58d7da02d1c669bf21c824158 Issue introduced in 5.19 with commit 6defa24d3b12bbd418bc8526dea1cbc605265c06 and fixed in 6.5.4 with commit 2ee4b180d51b12a45bdd3264629719ef6a572a73 Issue introduced in 5.19 with commit 6defa24d3b12bbd418bc8526dea1cbc605265c06 and fixed in 6.6 with commit f1187ef24eb8f36e8ad8106d22615ceddeea6097 Issue introduced in 5.18.8 with commit 229334a8b1d0d5e60d3bdd091bbc4552d5321c97 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54296 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/kvm/svm/sev.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5c18ace750e4d4d58d7da02d1c669bf21c824158 https://git.kernel.org/stable/c/2ee4b180d51b12a45bdd3264629719ef6a572a73 https://git.kernel.org/stable/c/f1187ef24eb8f36e8ad8106d22615ceddeea6097