linux_3.13.0-*.*: nVMX: Check current_vmcs12 before accessing in handle_invept()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned |
Bug Description
KVM in linux 3.11 - 3.14 (including ubuntu 14.04 linux <= 3.13.0-113.160) has a
flaw in INVEPT emulation that could crash the host.
[ 1046.384746] BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
[ 1046.387386] IP: [<ffffffffa05b3
[ 1046.389577] PGD 0
[ 1046.390273] Oops: 0000 [#1] SMP
(tested with Ubuntu 14.04 linux-image-
The host KVM touches NULL pointer (vmx->nested.
(crafted or buggy) guest issues a single-context INVEPT instruction
*without* VMPTRLD like this:
kvm_cpu_
ept_sync_
(requires nested EPT; full linux kernel module code attached)
This code is introduced in upstream commit bfd0a56b90005f8
(nEPT: Nested INVEPT) and removed in 4b855078601fc42
(KVM: nVMX: Don't advertise single context invalidation for invept).
Therefore there should be two ways to fix this.
a. pullup bfd0a56b90005f (and 45e11817d5703e)
b. check current_vmcs12 before accessing for minimal fix:
diff --git a/arch/
index d9e567f..d785e9c 100644
--- a/arch/
+++ b/arch/
@@ -6391,6 +6391,8 @@ static int handle_
switch (type) {
case VMX_EPT_
+ if (to_vmx(
+ break;
if ((operand.eptp & eptp_mask) !=
(nested_
break;
Changed in linux (Ubuntu Trusty): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in linux (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in linux (Ubuntu Trusty): | |
status: | Triaged → Fix Committed |
Hello and thank you for the bug report!
I don't see an existing CVE assigned to this issue. CVE-2014-3645 affects a similar area of the kernel source but it has a different impact and is not the same issue.
We need a little bit of time to verify the report. Thank you for such a clear description.