CVE-2024-45005

In the Linux kernel, the following vulnerability has been resolved:

KVM: s390: fix validity interception issue when gisa is switched off

We might run into a SIE validity if gisa has been disabled either via using kernel parameter "kvm.usegisa=0" or by setting the related sysfs attribute to N (echo N >/sys/module/kvm/parameters/usegisa).

The validity is caused by an invalid value in the SIE control block's gisa designation. That happens because we pass the uninitialized gisa origin to virttophys() before writing it to the gisa designation.

To fix this we return 0 in kvms390getgisadesc() if the origin is 0. kvms390getgisadesc() is used to determine which gisa designation to set in the SIE control block. A value of 0 in the gisa designation disables gisa usage.

The issue surfaces in the host kernel with the following kernel message as soon a new kvm guest start is attemted.

kvm: unhandled validity intercept 0x1011 WARNING: CPU: 0 PID: 781237 at arch/s390/kvm/intercept.c:101 kvmhandlesieintercept+0x42e/0x4d0 [kvm] Modules linked in: vhostnet tap tun xtCHECKSUM xtMASQUERADE xtconntrack iptREJECT xttcpudp nftcompat xtables nfnattftp nfconntracktftp vfiopcicore irqbypass vhostvsock vmwvsockvirtiotransportcommon vsock vhost vhostiotlb kvm nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 ipset nftables sunrpc mlx5ib ibuverbs ibcore mlx5core uvdevice s390trng eadmsch vfioccw zcryptcex4 mdev vfioiommutype1 vfio schfqcodel drm i2ccore loop drmpanelorientationquirks configfs nfnetlink lcs ctcm fsm dmservicetime ghashs390 prng chachas390 libchacha aess390 dess390 libdes sha3512s390 sha3256s390 sha512s390 sha256s390 sha1s390 shacommon dmmirror dmregionhash dmlog zfcp scsitransportfc scsidhrdac scsidhemc scsidhalua pkey zcrypt dmmultipath rngcore autofs4 [last unloaded: vfiopci] CPU: 0 PID: 781237 Comm: CPU 0/KVM Not tainted 6.10.0-08682-gcad9f11498ea #6 Hardware name: IBM 3931 A01 701 (LPAR) Krnl PSW : 0704c00180000000 000003d93deb0122 (kvmhandlesieintercept+0x432/0x4d0 [kvm]) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 Krnl GPRS: 000003d900000027 000003d900000023 0000000000000028 000002cd00000000 000002d063a00900 00000359c6daf708 00000000000bebb5 0000000000001eff 000002cfd82e9000 000002cfd80bc000 0000000000001011 000003d93deda412 000003ff8962df98 000003d93de77ce0 000003d93deb011e 00000359c6daf960 Krnl Code: 000003d93deb0112: c020fffe7259 larl %r2,000003d93de7e5c4 000003d93deb0118: c0e53fa8beac brasl %r14,000003d9bd3c7e70 #000003d93deb011e: af000000 mc 0,0

000003d93deb0122: a728ffea lhi %r2,-22 000003d93deb0126: a7f4fe24 brc 15,000003d93deafd6e 000003d93deb012a: 9101f0b0 tm 176(%r15),1 000003d93deb012e: a774fe48 brc 7,000003d93deafdbe 000003d93deb0132: 40a0f0ae sth %r10,174(%r15) Call Trace: [<000003d93deb0122>] kvmhandlesieintercept+0x432/0x4d0 [kvm] ([<000003d93deb011e>] kvmhandlesieintercept+0x42e/0x4d0 [kvm]) [<000003d93deacc10>] vcpupostrun+0x1d0/0x3b0 [kvm] [<000003d93deaceda>] _vcpurun+0xea/0x2d0 [kvm] [<000003d93dead9da>] kvmarchvcpuioctlrun+0x16a/0x430 [kvm] [<000003d93de93ee0>] kvmvcpuioctl+0x190/0x7c0 [kvm] [<000003d9bd728b4e>] vfsioctl+0x2e/0x70 [<000003d9bd72a092>] _s390xsysioctl+0xc2/0xd0 [<000003d9be0e9222>] _dosyscall+0x1f2/0x2e0 [<000003d9be0f9a90>] systemcall+0x70/0x98 Last Breaking-Event-Address: [<000003d9bd3c7f58>] _warn_printk+0xe8/0xf0