GHSA-9PJJ-2JVJ-24RM

Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-09 18:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Make sure GHCB is mapped before updating

Access to the GHCB is mainly in the VMGEXIT path and it is known that the GHCB will be mapped. But there are two paths where it is possible the GHCB might not be mapped.

The sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform the caller of the AP Reset Hold NAE event that a SIPI has been delivered. However, if a SIPI is performed without a corresponding AP Reset Hold, then the GHCB might not be mapped (depending on the previous VMEXIT), which will result in a NULL pointer dereference.

The svm_complete_emulated_msr() routine will update the GHCB to inform the caller of a RDMSR/WRMSR operation about any errors. While it is likely that the GHCB will be mapped in this situation, add a safe guard in this path to be certain a NULL pointer dereference is not encountered.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-28T09:15:38Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Make sure GHCB is mapped before updating\n\nAccess to the GHCB is mainly in the VMGEXIT path and it is known that the\nGHCB will be mapped. But there are two paths where it is possible the GHCB\nmight not be mapped.\n\nThe sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform\nthe caller of the AP Reset Hold NAE event that a SIPI has been delivered.\nHowever, if a SIPI is performed without a corresponding AP Reset Hold,\nthen the GHCB might not be mapped (depending on the previous VMEXIT),\nwhich will result in a NULL pointer dereference.\n\nThe svm_complete_emulated_msr() routine will update the GHCB to inform\nthe caller of a RDMSR/WRMSR operation about any errors. While it is likely\nthat the GHCB will be mapped in this situation, add a safe guard\nin this path to be certain a NULL pointer dereference is not encountered.",
  "id": "GHSA-9pjj-2jvj-24rm",
  "modified": "2024-12-09T18:31:18Z",
  "published": "2024-02-28T09:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47008"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a3ba26ecfb569f4aa3f867e80c02aa65f20aadad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb9e14f4f8217a0980f8da2c8ff70dee058cbe47"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd722a57fe0b80133dacae4e1c852ee4212f9b2e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.