CVE-2022-48765
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: LAPIC: Also cancel preemption timer during SET_LAPIC
The below warning is splatting during guest reboot.
————[ cut here ]———— WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Call Trace: <TASK> kvm_vcpu_ioctl+0x279/0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b
This can be triggered by not exposing tsc-deadline mode and doing a reboot in the guest. The lapic_shutdown() function which is called in sys_reboot path will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode switch between tsc-deadline and oneshot/periodic, which can result in preemption timer be cancelled in apic_update_lvtt(). However, We can't depend on this when not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption timer. Qemu will synchronise states around reset, let's cancel preemption timer under KVM_SET_LAPIC.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 8003c9ae204e21204e49816c5ea629357e283b06 < 54b3439c8e70e0bcfea59aeef9dd98908cbbf655 | affected |
| Linux | Linux | 8003c9ae204e21204e49816c5ea629357e283b06 < ce55f63f6cea4cab8ae9212f73285648a5baa30d | affected |
| Linux | Linux | 8003c9ae204e21204e49816c5ea629357e283b06 < 35fe7cfbab2e81f1afb23fc4212210b1de6d9633 | affected |
| Linux | Linux | 4.10 | affected |
| Linux | Linux | 0 < 4.10 | unaffected |
| Linux | Linux | 5.15.19 <= 5.15.* | unaffected |
| Linux | Linux | 5.16.5 <= 5.16.* | unaffected |
| Linux | Linux | 5.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655
- https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d
- https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655
- https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d
- https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.