[LTS 9.2] CVE-2026-23401#1357
Merged
Merged
Conversation
…IO SPTE jira VULN-180395 cve CVE-2026-23401 commit-author Sean Christopherson <seanjc@google.com> commit aad885e upstream-diff Used linux-6.1.y backport ed5909992f344a7d3f4024261e9f751d9618a27d for the clean pick. Strictly speaking, the upstream's `kvm_flush_remote_tlbs_gfn(vcpu->kvm, gfn, level)' call corresponds to LTS 9.2-native `kvm_flush_remote_tlbs_with_address(vcpu->kvm, gfn & -KVM_PAGES_PER_HPAGE(level), KVM_PAGES_PER_HPAGE(level))'. See the non-backported commits: - 9ffe926 ("KVM: x86/mmu: Fix wrong gfn range of tlb flushing in kvm_set_pte_rmapp()"), - 8c63e8c ("KVM: x86/mmu: Rename kvm_flush_remote_tlbs_with_address()"), - c667a3b ("KVM: x86/mmu: Move round_gfn_for_level() helper into mmu_internal.h"). Nevertheless preserved linux-6.1.y's `kvm_flush_remote_tlbs_with_address()' call without `gfn' rounding, as that's exactly how it's used in the same function a few lines later, strongly suggesting that the issues raised in commit 9ffe926 don't apply here. When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM. E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm ctrliq#319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: <TASK> mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f </TASK> ---[ end trace 0000000000000000 ]--- Reported-by: Alexander Bulekov <bkov@amazon.com> Debugged-by: Alexander Bulekov <bkov@amazon.com> Suggested-by: Fred Griffoul <fgriffo@amazon.co.uk> Fixes: a54aa15 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit ed5909992f344a7d3f4024261e9f751d9618a27d) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
4def139 to
80fc241
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[LTS 9.2]
Commits
CVE-2026-23401
The KVM module uses different table flushing procedures across time and code space, those relevant to the CVE-2026-23401 fix being:
kvm_flush_remote_tlbs_with_range,kvm_flush_remote_tlbs_with_address,kvm_flush_remote_tlbs_range,kvm_flush_remote_tlbs_gfn.Their evolution can best be presented in the following table, with commits starting from the oldest, up to what can be found in the upstream at the moment of the aad885e fix:
Upstream fix uses:
kernel-src-tree/arch/x86/kvm/mmu/mmu.c
Line 3074 in aad885e
The
kvm_flush_remote_tlbs_gfn()function is defined as:kernel-src-tree/arch/x86/kvm/mmu/mmu_internal.h
Lines 211 to 216 in aad885e
The
kvm_flush_remote_tlbs_range()call corresponds tokvm_flush_remote_tlbs_with_address()call - the function was renamed in 8c63e8c. Thegfn_round_for_level()function iskernel-src-tree/arch/x86/kvm/mmu/mmu_internal.h
Lines 197 to 200 in aad885e
It also exists in LTS 9.2, under a similar name
round_gfn_for_level()(moved and renamed in c667a3b).kernel-src-tree/arch/x86/kvm/mmu/tdp_iter.c
Lines 18 to 21 in cf9f720
(It's private, however, so using it in
arch/x86/kvm/mmu/mmu.cwould require publicizing it (basically what c667a3b does)).Taking all of the above into account would result in a LTS 9.2-corresponding call:
The
gfn & -KVM_PAGES_PER_HPAGE(level)part is a rounding ofgfnto a value appropriate forkvm_flush_remote_tlbs_with_address()call. Failure to do so in thekvm_set_pte_rmap()function motivated the introduction ofkvm_flush_remote_tlbs_gfn()in 9ffe926:The transition from using
kvm_flush_remote_tlbs_with_address()tokvm_flush_remote_tlbs_gfn()was done in a few commits: 9ffe926, 1e20384, 1b2dc73, 4ad980a.However, the CVE-2026-23401-fix-modified function
mmu_set_spte()useskvm_flush_remote_tlbs_with_address()call withoutgfnrounding just a few lines laterkernel-src-tree/arch/x86/kvm/mmu/mmu.c
Lines 2838 to 2839 in cf9f720
and the transition of this call to
kvm_flush_remote_tlbs_gfn()on upstream was done in a non-bugfixing commit 4ad980a. This strongly suggests thatgfnis already rounded to the proper value.Retained the
linux-6.1.ysolution (aligning also withrocky8_10fix in 9b906d0) for the sake of simplicity.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Reference
kselftests–ciqlts9_2–run1.log
Patch
kselftests–ciqlts9_2-CVE-2026-23401–run1.log
Comparison
The tests results for the reference and the patch are the same.
full-tests-results-comparison.log