Bug 2320259 (CVE-2024-47727)

Summary: CVE-2024-47727 kernel: x86/tdx: Fix "in-kernel MMIO" check
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. Userspace can deceive the kernel into performing MMIO (Memory-Mapped IO) operations in TDX (Trust Domain Extensions) on its behalf, allowing a #VE (Virtualization Exception) to be incorrectly handled as a in-kernel MMIO operation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2320359    
Bug Blocks:    

Description OSIDB Bzimport 2024-10-21 13:06:08 UTC 
In the Linux kernel, the following vulnerability has been resolved:

x86/tdx: Fix "in-kernel MMIO" check

TDX only supports kernel-initiated MMIO operations. The handle_mmio()
function checks if the #VE exception occurred in the kernel and rejects
the operation if it did not.

However, userspace can deceive the kernel into performing MMIO on its
behalf. For example, if userspace can point a syscall to an MMIO address,
syscall does get_user() or put_user() on it, triggering MMIO #VE. The
kernel will treat the #VE as in-kernel MMIO.

Ensure that the target MMIO address is within the kernel before decoding
instruction.
Comment 1 Robb Gatica 2024-10-21 15:19:00 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102105-CVE-2024-47727-1049@gregkh/T