CVE-2021-47008 in Linux
Summary
by MITRE • 02/28/2024
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Make sure GHCB is mapped before updating
Access to the GHCB is mainly in the VMGEXIT path and it is known that the GHCB will be mapped. But there are two paths where it is possible the GHCB might not be mapped.
The sev_vcpu_deliver_sipi_vector() routine will update the GHCB to inform the caller of the AP Reset Hold NAE event that a SIPI has been delivered. However, if a SIPI is performed without a corresponding AP Reset Hold, then the GHCB might not be mapped (depending on the previous VMEXIT), which will result in a NULL pointer dereference.
The svm_complete_emulated_msr() routine will update the GHCB to inform the caller of a RDMSR/WRMSR operation about any errors. While it is likely that the GHCB will be mapped in this situation, add a safe guard in this path to be certain a NULL pointer dereference is not encountered.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/09/2024
The vulnerability CVE-2021-47008 represents a critical NULL pointer dereference issue within the Linux kernel's KVM hypervisor implementation, specifically affecting AMD Secure Virtual Machine (SVM) technology. This flaw exists in the handling of the Guest Hypervisor Communication Block (GHCB) during virtual machine execution, where improper validation of GHCB mapping status can lead to system crashes and potential privilege escalation. The GHCB serves as a communication channel between the guest virtual machine and the hypervisor, facilitating secure operations and error reporting mechanisms essential for virtualization security. The vulnerability manifests when the kernel fails to properly verify that the GHCB is mapped before attempting to update its contents, creating a race condition scenario where memory access occurs against an unmapped virtual address.
The technical implementation of this vulnerability occurs through two distinct code paths within the KVM subsystem that handle different types of virtual machine exits. The first vulnerable path involves the sev_vcpu_deliver_sipi_vector() function, which processes SIPI (Startup IPI) vector delivery for Application Processors (APs) during the AP Reset Hold NAE event. When a SIPI is issued without a corresponding AP Reset Hold, the GHCB mapping state becomes uncertain, potentially leaving the GHCB unmapped and causing the kernel to attempt writing to a NULL pointer. The second vulnerable path is found in the svm_complete_emulated_msr() routine, which handles RDMSR/WRMSR operations and updates the GHCB to report any errors encountered during these operations. While the second path is less likely to encounter unmapped GHCB conditions, the lack of proper validation creates an exploitable condition where a NULL pointer dereference can occur under specific timing and execution scenarios.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling privilege escalation attacks within virtualized environments and compromising the security isolation guarantees that virtualization technologies are designed to provide. Attackers could exploit this vulnerability by triggering specific sequences of VMEXIT events that lead to the NULL pointer dereference conditions, potentially causing denial of service against virtual machines or gaining unauthorized access to hypervisor memory spaces. The vulnerability affects systems running Linux kernels with KVM support and AMD SVM virtualization enabled, particularly those implementing SEV (Secure Encrypted Virtualization) features. According to CWE classification, this represents a CWE-476: NULL Pointer Dereference weakness, while ATT&CK framework categorizes this under T1059.001: Command and Scripting Interpreter - PowerShell and T1499.004: Endpoint Denial of Service - File and Storage Denial of Service, as the vulnerability can be leveraged to disrupt virtual machine operations and potentially escalate privileges within the virtualized environment.
Mitigation strategies for CVE-2021-47008 require immediate kernel updates from vendors, with the most effective solution being the application of patches that ensure proper GHCB mapping validation before any updates occur. System administrators should prioritize patching affected systems, particularly those running virtualized workloads with SEV support, as the vulnerability can be exploited to compromise entire virtualization infrastructures. The patch implementation enforces proper checks in both vulnerable code paths, ensuring that the GHCB mapping status is verified before attempting any updates, thereby preventing the NULL pointer dereference conditions. Organizations should also implement monitoring for anomalous VMEXIT patterns that might indicate exploitation attempts and consider disabling SEV features on systems where the vulnerability cannot be immediately patched. Additionally, security teams should conduct thorough assessments of their virtualization environments to identify all affected systems and establish incident response procedures for potential exploitation attempts targeting this specific vulnerability.