An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults. Reference and upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e72436bc3a5206f95bb384e741154166ddb3202e
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1947983]
This was fixed for Fedora with the 5.8 kernel rebases.
From Paolo Bonzini: On 30/04/21 20:32, Jan Werner wrote: > So to trigger this flaw one would have to run a nested Virtual Machine, > and attempt to execute the code from an instruction pointer that does > not have a memslost assigned to that memory location? > If that's the case, what conditions need to occur for that to happen? You don't need a nested virtual machine. This is a "nested page fault", ie. a guest-to-hypervisor page fault. You just need to run the KVM selftests to reproduce the bug. > I saw the discussion here: > http://lkml.iu.edu/hypermail/linux/kernel/2004.2/03025.html > <http://lkml.iu.edu/hypermail/linux/kernel/2004.2/03025.html> > > And I believe that I understand the conditions observed in the testing. > Can you help me understand how those conditions can be reproduced in the > production? The bug would happen when the VM executes from a non-existing address; in production it would only happen with a buggy VM. Instead of exiting immediately with an error, it would retry forever (but it's interruptible with Ctrl-C, i.e. not a serious issue). Who decided to give this bug a CVE, and can it be retracted? This is just a bug with no security consequences.