KVM: a issue which maybe a vulnerability

KVM: a issue which maybe a vulnerability

[Yilu Lin]

Hello. There is a issue about the kvm module in kernel, which may be a vulnerability. And I need your adivce.

Here is affect version:
    Linux kernel version 3.10.The virtualization platform uses the general Linux version before 4.15, which may also involve.
    The issue is fixed in v4.15-rc1.Commit ID is dedf9c5e216902c6d34b5a0d0c40f4acbb3706d8. Link is https://github.com/torvalds/linux/commit/dedf9c5e216902c6d34b5a0d0c40f4acbb3706d8.

Here is prerequisites for issue exploitation:
    1. The attacker has root privileges on the virtual machine (GuestOS).
    2. The Linux kernel version of the host HostOS is less than 3.10 (theoretical analysis shows that versions less than 4.15 are affected).
    3. The CPU APIC timer type when GuestOS starts is deadline.
    4. The attacker resets the CPU APIC timer type to period within GuestOS.

Here is steps for loophole recurrence:
    1. Create and start GuestOS（The CPU APIC timer type is deadline when GuestOS starts）.
    2. Reset the CPU APIC timer type to period within GuestOS. HostOS panic will be triggered probability.

Here is description of the cause of the issue:
    This vulnerability is a vulnerability in the kvm module in the open-source linux kernel. There is a logic error in the processing interrupt of the kvm module lpaic. When the corresponding timing problem occurs, HardLock will reset the HostOS. Specific problem logic:
    1. After the virtual machine (GuestOS) is started, initialize the CPU ACPI timer type as deadline, and start the timer timer; The CPU APIC timer type of the GuestOS will be recorded in the HostOS KVM module.
    2. Modify CPU APIC timer to period type in GuestOS;
    3. The process of changing CPU APIC timer type will be executed in module of kvm in HostOS;
    4. When changing the CPU APIC timer type, it is possible to be interrupted by an interrupt whose timer has expired;
    5. If the interrupt processing function of the timer thinks that the CPU APIC timer type is period, the CPU APIC timer will be added to the timer task list again; However, in this process, the CPU APIC timer period type value is not initialized, which causes the timer timeout to remain unchanged. Therefore, the timer task will be added back to the task list repeatedly, causing an endless loop, which eventually causes HardLock to reset the host.

Here is the issue impact:
    The HostOS is panic. All virtual machines on the host are abnormal and cannot be used.

Re: KVM: a issue which maybe a vulnerability

[Greg KH]

On Mon, Dec 12, 2022 at 07:15:32PM +0800, Yilu Lin wrote:
> Hello. There is a issue about the kvm module in kernel, which may be a vulnerability. And I need your adivce.
> 
> Here is affect version:
>     Linux kernel version 3.10.The virtualization platform uses the general Linux version before 4.15, which may also involve.
>     The issue is fixed in v4.15-rc1.Commit ID is dedf9c5e216902c6d34b5a0d0c40f4acbb3706d8. Link is https://github.com/torvalds/linux/commit/dedf9c5e216902c6d34b5a0d0c40f4acbb3706d8.
> 

Have you tried backporting this commit to 4.14.y and seeing if it
resolves the issue?  If so, can you send the backport here for
inclusion?

thanks,

greg k-h