Fixed in 5.4.142, 5.10.60, 5.13.12. I don't know if 4.x are affected. From $URL: --------------------- CVE-2021-3653 ---------------------- This issue is caused by missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. The L2 guest is able to write to a limited but still relatively large subset of the host physical memory. Note that AVIC is currently not supported with nesting and it is not advertised in the L1 CPUID. This bug dates back to kernel 2.6.30 where it was first introduced via commit: https://github.com/torvalds/linux/commit/3d6368ef580a. CVE-2021-3653 has been assigned by Red Hat, Inc. ---------------------- CVE-2021-3656 ---------------------- This issue is caused by missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under these circumstances, the L2 guest is able to run VMLOAD/VMSAVE unintercepted, and thus read/write portions of the host physical memory. This bug was introduced in kernel version 4.13 while enabling the Virtual VMLOAD/VMSAVE feature: https://github.com/torvalds/linux/commit/89c8a4984fc9. CVE-2021-3656 has been assigned by Red Hat, Inc. --------- Impact --------- The nested guest (L2) could use these flaws to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. ------------- Mitigation ------------- Both vulnerabilities can be mitigated by disabling the nested virtualization feature when loading kvm: # modprobe kvm_amd nested=0 Disabling VLS (Virtual VMLOAD/VMSAVE) is an alternative mitigation for CVE-2021-3656: # modprobe kvm_amd vls=0 ---------- Credits ---------- CVE-2021-3653: Maxim Levitsky (Red Hat) CVE-2021-3656: Maxim Levitsky (Red Hat) and Paolo Bonzini (Red Hat) -------- Patch -------- CVE-2021-3653: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=0f923e07124df069ba68d8bb12324398f4b6b709 CVE-2021-3656: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=c7dfa4009965a9b2d7b329ee970eb8da0d32f0bc
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f893aaebf4beadb0d6062f970dc86f25db9cce0 commit 2f893aaebf4beadb0d6062f970dc86f25db9cce0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-08-28 06:32:08 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-08-28 06:53:55 +0000 package.mask: Mask vulnerable EOL kernels Bug: https://bugs.gentoo.org/808990 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
Fixes in 4.9.281, 4.14.245, 4.19.205, 5.4.142, 5.10.60, 5.14. All done.