CVE-2023-53756

In the Linux kernel, the following vulnerability has been resolved:

KVM: VMX: Fix crash due to uninitialized current_vmcs

KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as a nested hypervisor on top of Hyper-V. When MSR bitmap is updated, evmcstouchmsrbitmap function uses currentvmcs per-cpu variable to mark that the msr bitmap was changed.

vmxvcpucreate() modifies the msr bitmap via vmxdisableinterceptformsr -> vmxmsrbitmapl01changed which in the end calls this function. The function checks for currentvmcs if it is null but the check is insufficient because currentvmcs is not initialized. Because of this, the code might incorrectly write to the structure pointed by currentvmcs value left by another task. Preemption is not disabled, the current task can be preempted and moved to another CPU while currentvmcs is accessed multiple times from evmcstouchmsr_bitmap() which leads to crash.

The manipulation of MSR bitmaps by callers happens only for vmcs01 so the solution is to use vmx->vmcs01.vmcs instead of current_vmcs.

BUG: kernel NULL pointer dereference, address: 0000000000000338 PGD 4e1775067 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI ... RIP: 0010:vmxmsrbitmapl01changed+0x39/0x50 [kvmintel] ... Call Trace: vmxdisableinterceptformsr+0x36/0x260 [kvmintel] vmxvcpucreate+0xe6/0x540 [kvmintel] kvmarchvcpucreate+0x1d1/0x2e0 [kvm] kvmvmioctlcreatevcpu+0x178/0x430 [kvm] kvmvmioctl+0x53f/0x790 [kvm] __x64sysioctl+0x8a/0xc0 dosyscall64+0x5c/0x90 entrySYSCALL64afterhwframe+0x63/0xcd