A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can theoretically trigger a stack overflow and cause a denial-of-service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`).
RHEL-6 and RHEL-7 kernels are not affected by this flaw as they did not include support for KVM AMD Secure Encrypted Virtualization (SEV).
In reply to comment #0: > [..] potentially guest-to-host escape in kernel configurations without > stack guard pages (`CONFIG_VMAP_STACK`). Note that this kernel option is enabled by default in Red Hat Enterprise Linux 8 and 9.
Patch series: https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/ Patch: https://patchew.org/linux/20230804173355.51753-1-pbonzini@redhat.com/20230804173355.51753-3-pbonzini@redhat.com/
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2229642]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077