CVE-2024-40953

In the Linux kernel, the following vulnerability has been resolved:

KVM: Fix a data race on lastboostedvcpu in kvmvcpuon_spin()

Use {READ,WRITE}ONCE() to access kvm->lastboosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs:

CPU0 CPU1 lastboostedvcpu = 0xff;

                                (last_boosted_vcpu = 0x100)
                                last_boosted_vcpu[15:8] = 0x01;

i = (lastboostedvcpu = 0x1ff) lastboostedvcpu[7:0] = 0x00;

vcpu = kvm->vcpu_array[0x1ff];

As detected by KCSAN:

BUG: KCSAN: data-race in kvmvcpuonspin [kvm] / kvmvcpuonspin [kvm]

write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvmvcpuonspin (arch/x86/kvm/../../../virt/kvm/kvmmain.c:4112) kvm handlepause (arch/x86/kvm/vmx/vmx.c:5929) kvmintel vmxhandleexit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvmintel vcpurun (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvmarchvcpuioctlrun (arch/x86/kvm/x86.c:?) kvm kvmvcpuioctl (arch/x86/kvm/../../../virt/kvm/kvmmain.c:?) kvm _sesysioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) _x64sysioctl (fs/ioctl.c:890) x64syscall (arch/x86/entry/syscall64.c:33) dosyscall64 (arch/x86/entry/common.c:?) entrySYSCALL64afterhwframe (arch/x86/entry/entry_64.S:130)

read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvmvcpuonspin (arch/x86/kvm/../../../virt/kvm/kvmmain.c:4069) kvm handlepause (arch/x86/kvm/vmx/vmx.c:5929) kvmintel vmxhandleexit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvmintel vcpurun (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvmarchvcpuioctlrun (arch/x86/kvm/x86.c:?) kvm kvmvcpuioctl (arch/x86/kvm/../../../virt/kvm/kvmmain.c:?) kvm _sesysioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) _x64sysioctl (fs/ioctl.c:890) x64syscall (arch/x86/entry/syscall64.c:33) dosyscall64 (arch/x86/entry/common.c:?) entrySYSCALL64afterhwframe (arch/x86/entry/entry_64.S:130)

value changed: 0x00000012 -> 0x00000000