CVE-2021-47112 in Linux
Summary
by MITRE • 03/15/2024
In the Linux kernel, the following vulnerability has been resolved:
x86/kvm: Teardown PV features on boot CPU as well
Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from hibernation we must properly teardown all these features to make sure hypervisor doesn't write to stale locations after we jump to the previously hibernated kernel (which can try to place anything there). For secondary CPUs the job is already done by kvm_cpu_down_prepare(), register syscore ops to do the same for boot CPU.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/13/2025
The vulnerability identified as CVE-2021-47112 resides within the Linux kernel's x86 kernel virtual machine (KVM) subsystem, specifically addressing a critical oversight in the handling of paravirtualized (PV) features during system hibernation and resume operations. This flaw represents a significant security risk in virtualized environments where the Linux kernel serves as the guest operating system, as it directly impacts the integrity of memory management and hypervisor communication mechanisms. The vulnerability manifests when systems resume from hibernation, creating potential attack vectors through improper cleanup of shared memory regions used by hypervisor components.
The technical root cause of this vulnerability stems from an incomplete teardown process of paravirtualized features on the boot CPU during system hibernation. The Linux kernel's KVM implementation utilizes several PV features including Asynchronous Page Fault (Async PF), Paravirtualized End of Interrupt (PV EOI), and steal time accounting to optimize guest performance and maintain synchronization with the hypervisor. These features rely on shared memory regions that the hypervisor accesses to communicate with the guest kernel. During hibernation, the system saves its state to disk and powers down, but upon resume, the kernel jumps to the previously saved state. The flaw occurs because while secondary CPUs properly clean up these shared memory regions through the existing kvm_cpu_down_prepare() function and syscore operations, the boot CPU fails to perform this critical cleanup operation, leaving stale memory references accessible to the hypervisor.
This vulnerability directly relates to CWE-284, which addresses improper access control in system components, and aligns with ATT&CK technique T1059.003 for system shell execution through kernel-level modifications. The operational impact of this vulnerability extends beyond simple memory corruption, as it creates opportunities for hypervisor-level attackers to manipulate guest memory regions that should have been invalidated during hibernation. Attackers could potentially exploit this flaw to inject malicious data into previously freed memory locations, manipulate kernel structures, or even execute arbitrary code within the guest environment. The risk is particularly severe in cloud computing and virtualization environments where multiple tenants share the same physical hardware, as it could enable cross-tenant data leakage or privilege escalation attacks.
The resolution implemented for CVE-2021-47112 involves registering syscore operations to ensure that the boot CPU undergoes the same cleanup process as secondary CPUs during hibernation preparation. This fix addresses the fundamental asymmetry in the kernel's hibernation handling by extending the existing cleanup mechanism to cover all CPU cores equally, thereby preventing the hypervisor from writing to stale memory locations after kernel resume. The mitigation strategy aligns with security best practices for virtualized environments and follows established patterns for memory management in hypervisor-guest interactions. System administrators should prioritize applying this kernel update across all virtualized environments, particularly those running high-value workloads where the risk of hypervisor-level attacks is elevated. The fix demonstrates the importance of comprehensive testing for edge cases in virtualization systems and highlights the critical nature of memory management consistency across all CPU cores in complex kernel subsystems.