Recently, an important vulnerability was discovered and resolved in the Linux kernel concerning KVM: VMX and Intel PT virtualization. The problem involved a series of bugs in the implementation, which posed significant risks to both the guest and the host's stability and well-being.

In this post, we will discuss the details of CVE-2024-53135, provide the corresponding code snippet to address this vulnerability, and share links to the original references for further information.

Vulnerability Description

The core issue with the Linux kernel's vulnerability was that KVM did not ensure tracing was disabled (and remained disabled) prior to VM-Enter. As a consequence, KVM failed to follow the guidelines laid out in the Intel Software Developers Manual (SDM), which specifies that the "load IA32_RTIT_CTL" VM-entry control must be when Intel PT is enabled.

The vulnerability also affected the host side, as KVM did not validate the guest CPUID configuration provided by userspace. Moreover, the guest configuration was used in determining what MSRs to save/load during VM-Enter and VM-Exit, leading to various WARNs, ToPA ERRORs, and possible deadlocks.

Code Snippet

To resolve this vulnerability, support for virtualizing Intel PT via guest/host mode must be disabled unless CONFIG_BROKEN=y. Here is the code snippet to implement this change:

#ifdef CONFIG_BROKEN
module_param_named(pt_mode, pt_mode_str, charp, 0444);
MODULE_PARM_DESC(pt_mode, "Intel PT mode selector: "
	"off (no Intel PT virtualization),"
	"guest (guest only),"
	"host (host+guest) (default host)");
#endif

By hiding KVM's pt_mode module param behind CONFIG_BROKEN, the myriad of bugs in the implementation can be effectively mitigated.

1. Linux Kernel Mailing List (LKML) - Patch Info
2. KVM - Kernel-based Virtual Machine
3. Intel Software Developers Manual (SDM)

Exploit Details

The exploitation of CVE-2024-53135 may lead to a range of adverse effects on the stability and security of the guest and host systems. With KVM not ensuring the proper disabling of tracing and failing to validate the guest CPUID configuration, attackers could potentially exploit this vulnerability to compromise the integrity of guest systems, trigger deadlocks, and disrupt the host's stability. By implementing the provided code snippet and disabling support for virtualizing Intel PT via guest/host mode unless BROKEN=y, this vulnerability can be successfully addressed, ensuring the security and functionality of both guest and host systems.

Timeline

Published on: 12/04/2024 15:15:13 UTC
Last modified on: 12/19/2024 09:40:03 UTC