We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53196

KVM: arm64: Don't retire aborted MMIO instruction



Description

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Don't retire aborted MMIO instruction Returning an abort to the guest for an unsupported MMIO access is a documented feature of the KVM UAPI. Nevertheless, it's clear that this plumbing has seen limited testing, since userspace can trivially cause a WARN in the MMIO return: WARNING: CPU: 0 PID: 30558 at arch/arm64/include/asm/kvm_emulate.h:536 kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 Call trace: kvm_handle_mmio_return+0x46c/0x5c4 arch/arm64/include/asm/kvm_emulate.h:536 kvm_arch_vcpu_ioctl_run+0x98/0x15b4 arch/arm64/kvm/arm.c:1133 kvm_vcpu_ioctl+0x75c/0xa78 virt/kvm/kvm_main.c:4487 __do_sys_ioctl fs/ioctl.c:51 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x1e0/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x38/0x68 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 The splat is complaining that KVM is advancing PC while an exception is pending, i.e. that KVM is retiring the MMIO instruction despite a pending synchronous external abort. Womp womp. Fix the glaring UAPI bug by skipping over all the MMIO emulation in case there is a pending synchronous exception. Note that while userspace is capable of pending an asynchronous exception (SError, IRQ, or FIQ), it is still safe to retire the MMIO instruction in this case as (1) they are by definition asynchronous, and (2) KVM relies on hardware support for pending/delivering these exceptions instead of the software state machine for advancing PC.

Reserved 2024-11-19 | Published 2024-12-27 | Updated 2025-01-20 | Assigner Linux

Product status

Default status
unaffected

da345174ceca052469e4775e4ae263b5f27a9355 before 6af853cf5f897d55f42e9166f4db50e84e404fb3
affected

da345174ceca052469e4775e4ae263b5f27a9355 before ea6b5d98fea4ee8cb443ea98fda520909e90d30e
affected

da345174ceca052469e4775e4ae263b5f27a9355 before 1e46460efe1ef9a31748de7675ff8fe0d8601af2
affected

da345174ceca052469e4775e4ae263b5f27a9355 before d0571c3add987bcb69c2ffd7a70c998bf8ce60fb
affected

da345174ceca052469e4775e4ae263b5f27a9355 before e735a5da64420a86be370b216c269b5dd8e830e2
affected

Default status
affected

5.5
affected

Any version before 5.5
unaffected

6.1.120
unaffected

6.6.66
unaffected

6.11.11
unaffected

6.12.2
unaffected

6.13
unaffected

References

git.kernel.org/...c/6af853cf5f897d55f42e9166f4db50e84e404fb3

git.kernel.org/...c/ea6b5d98fea4ee8cb443ea98fda520909e90d30e

git.kernel.org/...c/1e46460efe1ef9a31748de7675ff8fe0d8601af2

git.kernel.org/...c/d0571c3add987bcb69c2ffd7a70c998bf8ce60fb

git.kernel.org/...c/e735a5da64420a86be370b216c269b5dd8e830e2

cve.org (CVE-2024-53196)

nvd.nist.gov (CVE-2024-53196)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-53196

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.