CVE-2023-53208

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Load L1's TSC multiplier based on L1 state, not L2 state

When emulating nested VM-Exit, load L1's TSC multiplier if L1's desired ratio doesn't match the current ratio, not if the ratio L1 is using for L2 diverges from the default. Functionally, the end result is the same as KVM will run L2 with L1's multiplier if L2's multiplier is the default, i.e. checking that L1's multiplier is loaded is equivalent to checking if L2 has a non-default multiplier.

However, the assertion that TSC scaling is exposed to L1 is flawed, as userspace can trigger the WARN at will by writing the MSR and then updating guest CPUID to hide the feature (modifying guest CPUID is allowed anytime before KVMRUN). E.g. hacking KVM's statetest selftest to do

            vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);
            vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);

after restoring state in a new VM+vCPU yields an endless supply of:

------------[ cut here ]------------ WARNING: CPU: 10 PID: 206939 at arch/x86/kvm/svm/nested.c:1105 nestedsvmvmexit+0x6af/0x720 [kvmamd] Call Trace: nestedsvmexithandled+0x102/0x1f0 [kvmamd] svmhandleexit+0xb9/0x180 [kvmamd] kvmarchvcpuioctlrun+0x1eab/0x2570 [kvm] kvmvcpuioctl+0x4c9/0x5b0 [kvm] ? tracehardirqsoff+0x4d/0xa0 _sesysioctl+0x7a/0xc0 _x64sysioctl+0x21/0x30 dosyscall64+0x41/0x90 entrySYSCALL64afterhwframe+0x63/0xcd

Unlike the nested VMRUN path, hoisting the svm->tscscalingenabled check into the if-statement is wrong as KVM needs to ensure L1's multiplier is loaded in the above scenario. Alternatively, the WARNON() could simply be deleted, but that would make KVM's behavior even more subtle, e.g. it's not immediately obvious why it's safe to write MSRAMD64TSCRATIO when checking only tscratiomsr.