While not obivous, kvm_vcpu_reset leaves the nested mode by clearing 'vcpu->arch.hflags' but it does so without all the required housekeeping.
This makes SVM and VMX continue to use vmcs02/vmcb02 while the cpu is not in nested mode.
In particular, in SVM code, it makes the 'svm_free_nested' free the vmcb02, while still in use, which later triggers use after free and a kernel crash.
This issue is assigned CVE-2022-3344
Cc: stable@vger.kernel.org Signed-off-by: Maxim Levitsky mlevitsk@redhat.com --- arch/x86/kvm/x86.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index d86a8aae1471d3..313c4a6dc65e45 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -11931,6 +11931,7 @@ void kvm_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event) WARN_ON_ONCE(!init_event && (old_cr0 || kvm_read_cr3(vcpu) || kvm_read_cr4(vcpu)));
+ kvm_leave_nested(vcpu); kvm_lapic_reset(vcpu, init_event);
vcpu->arch.hflags = 0;