In the Linux kernel, the following vulnerability has been resolved:
KVM: LAPIC: Also cancel preemption timer during SET_LAPIC
The below warning is splatting during guest reboot.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322
kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]
CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I
5.17.0-rc1+ #5
RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]
Call Trace:
<TASK>
kvm_vcpu_ioctl+0x279/0x710 [kvm]
__x64_sys_ioctl+0x83/0xb0
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fd39797350b
This can be triggered by not exposing tsc-deadline mode and doing a reboot
in
the guest. The lapic_shutdown() function which is called in sys_reboot path
will not disarm the flying timer, it just masks LVTT. lapic_shutdown()
clears
APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger
timer-mode
switch between tsc-deadline and oneshot/periodic, which can result in
preemption
timer be cancelled in apic_update_lvtt(). However, We can’t depend on this
when
not exposing tsc-deadline mode and oneshot/periodic modes emulated by
preemption
timer. Qemu will synchronise states around reset, let’s cancel preemption
timer
under KVM_SET_LAPIC.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/35fe7cfbab2e81f1afb23fc4212210b1de6d9633 (5.17-rc2)
git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633
git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655
git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d
launchpad.net/bugs/cve/CVE-2022-48765
nvd.nist.gov/vuln/detail/CVE-2022-48765
security-tracker.debian.org/tracker/CVE-2022-48765
www.cve.org/CVERecord?id=CVE-2022-48765