Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 808990 (CVE-2021-3653, CVE-2021-3656) - SVM nested virtualization issues in KVM
Summary: SVM nested virtualization issues in KVM
Alias: CVE-2021-3653, CVE-2021-3656
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
Depends on: 808936 808939
  Show dependency tree
Reported: 2021-08-19 05:10 UTC by Michał Górny
Modified: 2021-09-23 09:19 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 05:10:36 UTC
Fixed in 5.4.142, 5.10.60, 5.13.12.  I don't know if 4.x are affected.

From $URL:

This issue is caused by missing validation of the `int_ctl` VMCB field
and allows a malicious L1 guest to enable AVIC support (Advanced
Virtual Interrupt Controller) for the L2 guest. The L2 guest is able
to write to a limited but still relatively large subset of the host
physical memory. Note that AVIC is currently not supported with
nesting and it is not advertised in the L1 CPUID.

This bug dates back to kernel 2.6.30 where it was first introduced via

CVE-2021-3653 has been assigned by Red Hat, Inc.

This issue is caused by missing validation of the the `virt_ext` VMCB
field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE
intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under
these circumstances, the L2 guest is able to run VMLOAD/VMSAVE
unintercepted, and thus read/write portions of the host physical

This bug was introduced in kernel version 4.13 while enabling the
Virtual VMLOAD/VMSAVE feature:

CVE-2021-3656 has been assigned by Red Hat, Inc.

The nested guest (L2) could use these flaws to read/write physical
pages of the host, resulting in a crash of the entire system, leak of
sensitive data or potential guest-to-host escape.

Both vulnerabilities can be mitigated by disabling the nested
virtualization feature when loading kvm:
# modprobe kvm_amd nested=0

Disabling VLS (Virtual VMLOAD/VMSAVE) is an alternative mitigation for
# modprobe kvm_amd vls=0

CVE-2021-3653: Maxim Levitsky (Red Hat)
CVE-2021-3656: Maxim Levitsky (Red Hat) and Paolo Bonzini (Red Hat)

Comment 1 Larry the Git Cow gentoo-dev 2021-08-28 06:53:59 UTC
The bug has been referenced in the following commit(s):

commit 2f893aaebf4beadb0d6062f970dc86f25db9cce0
Author:     Michał Górny <>
AuthorDate: 2021-08-28 06:32:08 +0000
Commit:     Michał Górny <>
CommitDate: 2021-08-28 06:53:55 +0000

    package.mask: Mask vulnerable EOL kernels
    Signed-off-by: Michał Górny <>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)