In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests rely on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety...
4.10.0-14.16~16.04.14.10.0-19.21~16.04.14.10.0-20.22~16.04.14.10.0-21.23~16.04.14.10.0-22.24~16.04.14.10.0-24.28~16.04.14.10.0-26.30~16.04.14.11.0-13.19~16.04.14.11.0-14.20~16.04.14.13.0-16.19~16.04.3+13 more5.0.0-1021.24~18.04.15.0.0-1022.25~18.04.15.0.0-1023.26~18.04.15.0.0-1024.27~18.04.15.0.0-1025.285.0.0-1027.305.3.0-1016.17~18.04.15.3.0-1017.18~18.04.15.3.0-1019.21~18.04.15.3.0-1023.25~18.04.15.3.0-1028.30~18.04.15.3.0-1030.32~18.04.15.3.0-1032.34~18.04.25.3.0-1033.355.3.0-1034.365.3.0-1035.374.15.0-1002.24.15.0-1003.34.15.0-1004.44.15.0-1008.84.15.0-1009.94.15.0-1012.124.15.0-1013.134.15.0-1014.144.15.0-1018.184.15.0-1019.19+34 more5.3.0-1007.8~18.04.15.3.0-1008.9~18.04.15.3.0-1009.10~18.04.15.3.0-1010.11~18.04.15.3.0-1012.13~18.04.15.3.0-1013.14~18.04.15.3.0-1016.17~18.04.15.3.0-1018.19~18.04.15.3.0-1019.20~18.04.15.3.0-1020.21~18.04.1+6 more4.18.0-1006.6~18.04.14.18.0-1007.7~18.04.14.18.0-1008.8~18.04.15.0.0-1012.12~18.04.24.15.0-1001.14.15.0-1003.34.15.0-1005.54.15.0-1006.64.15.0-1008.84.15.0-1009.94.15.0-1010.104.15.0-1014.144.15.0-1015.154.15.0-1017.18+28 more5.3.0-1008.9~18.04.15.3.0-1009.10~18.04.15.3.0-1010.11~18.04.15.3.0-1012.13~18.04.15.3.0-1014.15~18.04.15.3.0-1016.17~18.04.15.3.0-1017.18~18.04.15.3.0-1018.19~18.04.15.3.0-1020.22~18.04.15.3.0-1026.28~18.04.1+3 more4.15.0-1030.324.15.0-1032.344.15.0-1033.354.15.0-1034.364.15.0-1036.384.15.0-1037.394.15.0-1040.424.15.0-1041.434.15.0-1042.444.15.0-1044.46+23 more5.4.0-1025.25~18.04.15.4.0-1027.28~18.04.15.4.0-1029.31~18.04.15.4.0-1030.32~18.04.15.4.0-1032.34~18.04.15.4.0-1033.35~18.04.15.4.0-1035.37~18.04.15.4.0-1036.38~18.04.15.4.0-1037.39~18.04.15.4.0-1039.41~18.04.1+27 more