CVE-2024-53135

Summary

In the Linux kernel, the following vulnerability has been resolved:

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are myriad bugs in the implementation, some of which are fatal to the guest, and others which put the stability and health of the host at risk.

For guest fatalities, the most glaring issue is that KVM fails to ensure tracing is disabled, and stays disabled prior to VM-Enter, which is necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing is enabled (enforced via a VMX consistency check). Per the SDM:

If the logical processor is operating with Intel PT enabled (if IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load IA32_RTIT_CTL" VM-entry control must be 0.

On the host side, KVM doesn't validate the guest CPUID configuration provided by userspace, and even worse, uses the guest configuration to decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring guest CPUID to enumerate more address ranges than are supported in hardware will result in KVM trying to passthrough, save, and load non-existent MSRs, which generates a variety of WARNs, ToPA ERRORs in the host, a potential deadlock, etc.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf99e3daf94ff35dd4a878d32ff66e1fd35223ad6 < c3742319d021f5aa3a0a8c828485fee14753f6deaffected
LinuxLinuxf99e3daf94ff35dd4a878d32ff66e1fd35223ad6 < d4b42f926adcce4e5ec193c714afd9d37bba8e5baffected
LinuxLinuxf99e3daf94ff35dd4a878d32ff66e1fd35223ad6 < b8a1d572478b6f239061ee9578b2451bf2f021c2affected
LinuxLinuxf99e3daf94ff35dd4a878d32ff66e1fd35223ad6 < e6716f4230a8784957273ddd27326264b27b9313affected
LinuxLinuxf99e3daf94ff35dd4a878d32ff66e1fd35223ad6 < d28b059ee4779b5102c5da6e929762520510e406affected
LinuxLinuxf99e3daf94ff35dd4a878d32ff66e1fd35223ad6 < b91bb0ce5cd7005b376eac690ec664c1b56372ecaffected
LinuxLinuxf99e3daf94ff35dd4a878d32ff66e1fd35223ad6 < aa0d42cacf093a6fcca872edc954f6f812926a17affected
LinuxLinux5.0affected
LinuxLinux0 < 5.0unaffected
LinuxLinux5.4.287 <= 5.4.*unaffected
LinuxLinux5.10.231 <= 5.10.*unaffected
LinuxLinux5.15.174 <= 5.15.*unaffected
LinuxLinux6.1.119 <= 6.1.*unaffected
LinuxLinux6.6.63 <= 6.6.*unaffected
LinuxLinux6.11.10 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References