{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47277", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T13:27:52.128Z", "datePublished": "2024-05-21T14:20:04.660Z", "dateUpdated": "2025-05-04T07:07:44.480Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:07:44.480Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\n\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot. The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\n\n hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\n\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory. However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\n\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva. If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\n\nRight now it's not clear if there are any cases in which this is\nexploitable. One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86. Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier. However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space. Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets. Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\n\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached. This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/kvm_host.h"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "3098b86390a6b9ea52657689f08410baf130ceff", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "740621309b25bbf619b8a0ba5fd50a8e58989441", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "361ce3b917aff93123e9e966d8608655c967f438", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "22b87fb17a28d37331bb9c1110737627b17f6781", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "bff1fbf0cf0712686f1df59a83fba6e31d2746a0", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "7af299b97734c7e7f465b42a2139ce4d77246975", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "da27a83fd6cc7780fea190e1f5c19e87019da65c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/kvm_host.h"], "versions": [{"version": "4.4.273", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.273", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.237", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.195", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.126", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.44", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.11", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.273"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.9.273"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.195"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4.126"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.12.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff"}, {"url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441"}, {"url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438"}, {"url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781"}, {"url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0"}, {"url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975"}, {"url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940"}, {"url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c"}], "title": "kvm: avoid speculation-based attacks from out-of-range memslot accesses", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47277", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T17:22:08.771570Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:14:39.924Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.918Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:07.918Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-47277", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-23T17:22:08.771570Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T17:22:13.828Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "kvm: avoid speculation-based attacks from out-of-range memslot accesses", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "3098b86390a6", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "740621309b25", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "361ce3b917af", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "22b87fb17a28", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "bff1fbf0cf07", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "7af299b97734", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "ed0e2a893092", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "da27a83fd6cc", "versionType": "git"}], "programFiles": ["include/linux/kvm_host.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "4.4.273", "versionType": "custom", "lessThanOrEqual": "4.4.*"}, {"status": "unaffected", "version": "4.9.273", "versionType": "custom", "lessThanOrEqual": "4.9.*"}, {"status": "unaffected", "version": "4.14.237", "versionType": "custom", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.195", "versionType": "custom", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.126", "versionType": "custom", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.44", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.12.11", "versionType": "custom", "lessThanOrEqual": "5.12.*"}, {"status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/linux/kvm_host.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff"}, {"url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441"}, {"url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438"}, {"url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781"}, {"url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0"}, {"url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975"}, {"url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940"}, {"url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c"}], "x_generator": {"engine": "bippy-a5840b7849dd"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\n\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot. The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\n\n hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\n\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory. However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\n\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva. If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\n\nRight now it's not clear if there are any cases in which this is\nexploitable. One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86. Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier. However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space. Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets. Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\n\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached. This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-05-29T05:05:08.946Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47277", "state": "PUBLISHED", "dateUpdated": "2024-08-04T05:32:07.918Z", "dateReserved": "2024-05-21T13:27:52.128Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T14:20:04.660Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A209A4F-1F96-4D92-BCA6-A12D00C4404B", "versionEndExcluding": "4.4.273", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "484D222B-5082-4E28-BF0F-B52766353015", "versionEndExcluding": "4.9.273", "versionStartIncluding": "4.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "83CDDAD5-5539-46C9-9255-C1DAC38F7905", "versionEndExcluding": "4.14.237", "versionStartIncluding": "4.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "23EECCE9-4D4C-4684-AB00-10C938F5DDC1", "versionEndExcluding": "4.19.195", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "876275F9-BEC7-40E8-9D7F-A20729A4A4FF", "versionEndExcluding": "5.4.126", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA547B08-9D25-467B-AD0D-8460FE4EE70D", "versionEndExcluding": "5.10.44", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F914A757-FAFD-407E-9031-21F66635D5EA", "versionEndExcluding": "5.12.11", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "CF351855-2437-4CF5-AD7C-BDFA51F27683", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\n\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot. The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\n\n hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\n\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory. However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\n\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva. If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\n\nRight now it's not clear if there are any cases in which this is\nexploitable. One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86. Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier. However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space. Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets. Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\n\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached. This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: kvm: evite ataques basados en especulacion desde accesos a memslot fuera de rango. El mecanismo de KVM para acceder a la memoria del invitado traduce una direcci\u00f3n f\u00edsica del invitado (gpa) a una direcci\u00f3n virtual del host usando el bot\u00f3n derecho. gpa desplazado (tambi\u00e9n conocido como gfn) y una estructura kvm_memory_slot. La traducci\u00f3n se realiza en __gfn_to_hva_memslot usando la siguiente f\u00f3rmula: hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE Se espera que gfn est\u00e9 dentro de los l\u00edmites de la memoria f\u00edsica del hu\u00e9sped. Sin embargo, un invitado puede acceder a direcciones f\u00edsicas no v\u00e1lidas de tal manera que el gfn no sea v\u00e1lido. __gfn_to_hva_memslot se llama desde kvm_vcpu_gfn_to_hva_prot, que primero recupera un memslot a trav\u00e9s de __gfn_to_memslot. Si bien __gfn_to_memslot verifica que el gfn est\u00e9 dentro de los l\u00edmites de la memoria f\u00edsica del hu\u00e9sped o no, una CPU puede especular el resultado de la verificaci\u00f3n y continuar la ejecuci\u00f3n de manera especulativa usando un gfn ilegal. La especulaci\u00f3n puede resultar en el c\u00e1lculo de un hva fuera de los l\u00edmites. Si la direcci\u00f3n virtual del host resultante se utiliza para cargar otra direcci\u00f3n f\u00edsica de invitado, se trata efectivamente de un dispositivo Spectre que consta de dos lecturas consecutivas, la segunda de las cuales depende de los datos de la primera. En este momento no est\u00e1 claro si hay casos en los que esto sea explotable. El autor original de este parche inform\u00f3 un caso interesante que implica visitar tablas de p\u00e1ginas de invitados en x86. En este momento, estos no son vulnerables porque la lectura de hva pasa por get_user(), que contiene una barrera de especulaci\u00f3n LFENCE. Sin embargo, hay parches en progreso para x86 uaccess.h para enmascarar las direcciones del kernel en lugar de usar LFENCE; Una vez que aterrizan, un invitado podr\u00eda usar la especulaci\u00f3n para leer desde el espacio de direcciones del anillo 3 del VMM. Otras arquitecturas, como ARM, ya utilizan el m\u00e9todo de enmascaramiento de direcciones y ser\u00edan susceptibles a este mismo tipo de dispositivos de acceso dependientes de datos. Por lo tanto, este parche protege proactivamente contra estos ataques al enmascarar gfns fuera de los l\u00edmites en __gfn_to_hva_memslot, lo que bloquea la especulaci\u00f3n sobre hvas no v\u00e1lidos. Sean Christopherson se\u00f1al\u00f3 que este parche no cubre kvm_read_guest_offset_cached. Sin embargo, esto se limita a unos pocos bytes despu\u00e9s del final de la cach\u00e9 y, por lo tanto, es poco probable que sea \u00fatil en el contexto de la construcci\u00f3n de una cadena de accesos dependientes de datos."}], "id": "CVE-2021-47277", "lastModified": "2025-04-30T14:30:29.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-21T15:15:16.053", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/22b87fb17a28d37331bb9c1110737627b17f6781"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3098b86390a6b9ea52657689f08410baf130ceff"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/361ce3b917aff93123e9e966d8608655c967f438"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/740621309b25bbf619b8a0ba5fd50a8e58989441"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7af299b97734c7e7f465b42a2139ce4d77246975"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bff1fbf0cf0712686f1df59a83fba6e31d2746a0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/da27a83fd6cc7780fea190e1f5c19e87019da65c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ed0e2a893092c7fcb4ff7ba74e5efce53a6f5940"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: kvm: avoid speculation-based attacks from out-of-range memslot accesses", "id": "2282520", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282520"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-118", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nkvm: avoid speculation-based attacks from out-of-range memslot accesses\nKVM's mechanism for accessing guest memory translates a guest physical\naddress (gpa) to a host virtual address using the right-shifted gpa\n(also known as gfn) and a struct kvm_memory_slot. The translation is\nperformed in __gfn_to_hva_memslot using the following formula:\nhva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE\nIt is expected that gfn falls within the boundaries of the guest's\nphysical memory. However, a guest can access invalid physical addresses\nin such a way that the gfn is invalid.\n__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first\nretrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot\ndoes check that the gfn falls within the boundaries of the guest's\nphysical memory or not, a CPU can speculate the result of the check and\ncontinue execution speculatively using an illegal gfn. The speculation\ncan result in calculating an out-of-bounds hva. If the resulting host\nvirtual address is used to load another guest physical address, this\nis effectively a Spectre gadget consisting of two consecutive reads,\nthe second of which is data dependent on the first.\nRight now it's not clear if there are any cases in which this is\nexploitable. One interesting case was reported by the original author\nof this patch, and involves visiting guest page tables on x86. Right\nnow these are not vulnerable because the hva read goes through get_user(),\nwhich contains an LFENCE speculation barrier. However, there are\npatches in progress for x86 uaccess.h to mask kernel addresses instead of\nusing LFENCE; once these land, a guest could use speculation to read\nfrom the VMM's ring 3 address space. Other architectures such as ARM\nalready use the address masking method, and would be susceptible to\nthis same kind of data-dependent access gadgets. Therefore, this patch\nproactively protects from these attacks by masking out-of-bounds gfns\nin __gfn_to_hva_memslot, which blocks speculation of invalid hvas.\nSean Christopherson noted that this patch does not cover\nkvm_read_guest_offset_cached. This however is limited to a few bytes\npast the end of the cache, and therefore it is unlikely to be useful in\nthe context of building a chain of data dependent accesses."], "name": "CVE-2021-47277", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47277\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47277\nhttps://lore.kernel.org/linux-cve-announce/2024052152-CVE-2021-47277-68e4@gregkh/T"], "threat_severity": "Moderate"}

{}