{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2021-47277", "ASSIGNER": "cve@kernel.org", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\n\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot. The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\n\n hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\n\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory. However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\n\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva. If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\n\nRight now it's not clear if there are any cases in which this is\nexploitable. One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86. Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier. However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space. Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets. Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\n\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached. This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Linux", "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "<", "version_name": "1da177e4c3f4", "version_value": "3098b86390a6" }, { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "version": "4.4.273", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "4.9.273", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver" }, { "version": "4.14.237", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver" }, { "version": "4.19.195", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.4.126", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.10.44", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.12.11", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver" }, { "version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ], "defaultStatus": "affected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff" }, { "url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441" }, { "url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438" }, { "url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781" }, { "url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0" }, { "url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975" }, { "url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940" }, { "url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c" } ] }, "generator": { "engine": "bippy-9e1c9544281a" } }