An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a set_memory_region_test infinite loop for certain nested page faults.
Reference and upstream patch:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1947983]
This was fixed for Fedora with the 5.8 kernel rebases.
From Paolo Bonzini:
On 30/04/21 20:32, Jan Werner wrote:
> So to trigger this flaw one would have to run a nested Virtual Machine,
> and attempt to execute the code from an instruction pointer that does
> not have a memslost assigned to that memory location?
> If that's the case, what conditions need to occur for that to happen?
You don't need a nested virtual machine. This is a "nested page fault",
ie. a guest-to-hypervisor page fault. You just need to run the KVM
selftests to reproduce the bug.
> I saw the discussion here:
> And I believe that I understand the conditions observed in the testing.
> Can you help me understand how those conditions can be reproduced in the
The bug would happen when the VM executes from a non-existing address;
in production it would only happen with a buggy VM. Instead of exiting
immediately with an error, it would retry forever (but it's
interruptible with Ctrl-C, i.e. not a serious issue). Who decided to
give this bug a CVE, and can it be retracted? This is just a bug with
no security consequences.