From: Vitaly Kuznetsov <vkuznets@redhat.com>
To: Greg KH <gregkh@kernel.org>, Paolo Bonzini <pbonzini@redhat.com>
Cc: cve@kernel.org, linux-kernel@vger.kernel.org,
KVM list <kvm@vger.kernel.org>
Subject: Re: CVE-2021-46978: KVM: nVMX: Always make an attempt to map eVMCS after migration
Date: Thu, 29 Feb 2024 09:08:42 +0100 [thread overview]
Message-ID: <87jzmnn14l.fsf@redhat.com> (raw)
In-Reply-To: <2024022905-barrette-lividly-c312@gregkh>
Greg KH <gregkh@kernel.org> writes:
> On Wed, Feb 28, 2024 at 11:09:50PM +0100, Paolo Bonzini wrote:
>> On 2/28/24 09:14, Greg Kroah-Hartman wrote:
>> > From: gregkh@kernel.org
>> >
>> > Description
>> > ===========
>> >
>> > In the Linux kernel, the following vulnerability has been resolved:
>> >
>> > KVM: nVMX: Always make an attempt to map eVMCS after migration
>>
>> How does this break the confidentiality, integrity or availability of the
>> host kernel? It's a fix for a failure to restart the guest after migration.
>> Vitaly can confirm.
>
> It's a fix for the availability of the guest kernel, which now can not
> boot properly, right? That's why this was selected. If this is not
> correct, I will be glad to revoke this.
>
To be precise, this issue is about guest's behavior post-migration and
not booting. Also, it should be noted that "Enlightened VMCS" feature is
normally not used for Linux guests on KVM so the "guest kernel" is
actually Windows kernel (or Hyper-V) :-)
Personally, I don't see how this particular issue differs from other KVM
hypervisor bugs. I.e. when hypervisor misbehaves, the guest will likely
suffer and in many cases "suffer" means crash. What *is* important is
who can trigger hypervisor's misbehavior. In case it is guest triggered
(and especially if triggered from CPL!=0), security implications are
possible. In the even worse case when such guest's actions can cause
issues in the host's kernel, the presence of a vulnerability is almost
certain.
Migration is (normally) not guest triggered, it's a deliberate action on
the host.
--
Vitaly
next prev parent reply other threads:[~2024-02-29 8:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024022822-CVE-2021-46978-3516@gregkh>
2024-02-28 22:09 ` CVE-2021-46978: KVM: nVMX: Always make an attempt to map eVMCS after migration Paolo Bonzini
2024-02-29 5:21 ` Greg KH
2024-02-29 8:08 ` Vitaly Kuznetsov [this message]
2024-02-29 10:04 ` Paolo Bonzini
2024-02-29 14:34 ` Theodore Ts'o
2024-02-29 20:53 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87jzmnn14l.fsf@redhat.com \
--to=vkuznets@redhat.com \
--cc=cve@kernel.org \
--cc=gregkh@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox