Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Aug 2021 16:13:56 +0200
From: Mauro Matteo Cascella <>
Cc: Maxim Levitsky <>, Paolo Bonzini <>
Subject: [CVE-2021-3653, CVE-2021-3656] SVM nested
 virtualization issues in KVM


Two vulnerabilities were found in the KVM's AMD code for supporting
SVM nested virtualization. They occur due to missing sanity checks of
some VMCB (virtual machine control block) fields provided by the L1
guest to handle a nested L2 guest.

This issue is caused by missing validation of the `int_ctl` VMCB field
and allows a malicious L1 guest to enable AVIC support (Advanced
Virtual Interrupt Controller) for the L2 guest. The L2 guest is able
to write to a limited but still relatively large subset of the host
physical memory. Note that AVIC is currently not supported with
nesting and it is not advertised in the L1 CPUID.

This bug dates back to kernel 2.6.30 where it was first introduced via

CVE-2021-3653 has been assigned by Red Hat, Inc.

This issue is caused by missing validation of the the `virt_ext` VMCB
field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE
intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under
these circumstances, the L2 guest is able to run VMLOAD/VMSAVE
unintercepted, and thus read/write portions of the host physical

This bug was introduced in kernel version 4.13 while enabling the
Virtual VMLOAD/VMSAVE feature:

CVE-2021-3656 has been assigned by Red Hat, Inc.

The nested guest (L2) could use these flaws to read/write physical
pages of the host, resulting in a crash of the entire system, leak of
sensitive data or potential guest-to-host escape.

Both vulnerabilities can be mitigated by disabling the nested
virtualization feature when loading kvm:
# modprobe kvm_amd nested=0

Disabling VLS (Virtual VMLOAD/VMSAVE) is an alternative mitigation for
# modprobe kvm_amd vls=0

CVE-2021-3653: Maxim Levitsky (Red Hat)
CVE-2021-3656: Maxim Levitsky (Red Hat) and Paolo Bonzini (Red Hat)


Thank you,
Best regards.
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.