Alexander Potapenko

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue is related to the KVM UAPI in the Linux kernel, where returning an abort to the guest for an unsupported MMIO access can cause a warning. This warning occurs when KVM is advancing PC while an exception is pending, specifically when retiring the MMIO instruction despite a pending synchronous external abort. The problem arises from limited testing of this plumbing, allowing userspace to trivially cause a warning in the MMIO return. Technical details include the involvement of `kvm handle mmio return` and `kvm arch vcpu ioctl run` functions, as well as the `arch/arm64/include/asm/kvm emulate.h` and `virt/kvm/kvm main.c` files. No information is provided about the estimated number of potentially affected devices or real-world incidents. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.74 or later. As a temporary workaround, consider restricting access to the KVM UAPI to minimize the risk of exploitation. Additionally, be cautious when using the `kvm handle mmio return` function and the related `kvm arch vcpu ioctl run` function to handle MMIO instructions, as these are directly involved in the issue.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.11.0-rc6 Description: A use-after-free issue has been identified in the Linux kernel, specifically in the KVM: arm64: Unregister redistributor for failed vCPU creation. This issue occurs when tearing down a VM, and it has been triggered by syzkaller. The problem arises from the improper teardown of MMIO registration for a vCPU that fails creation. To fix this issue, a special-cased unregistration has been added to ` kvm vgic vcpu destroy()`, which is safe because failed vCPUs are torn down outside of the config lock. Recommendations: For Linux kernel versions prior to 6.11.0-rc6, update to a newer version to mitigate the risk. As a temporary workaround, consider disabling the ` kvm vgic vcpu destroy()` function until a patch is available. Restrict access to the vulnerable `kvm put kvm()` function to minimize the risk of exploitation. Avoid using the `kvm vm release()` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the KVM component of the Linux kernel, specifically on arm64 systems with a GICv3. If a guest hasn't been configured with GICv3 and the host is not capable of GICv2 emulation, a write to any of the ICC *SGI* EL1 registers is trapped to EL2, leading to a NULL pointer being hit when trying to emulate the SGI access. This can cause a denial of service. The fix involves giving the guest a UNDEF exception in such cases. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the KVM (Kernel-based Virtual Machine) on arm64 architecture, where a dangling pointer to a redistributor region could be stored in a vcpu when tearing down the region. This could potentially lead to issues, but specific details about exploitation or affected devices are not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to the Linux kernel's KVM component, specifically the vgic-v2 module. It involves the `vgic v2 parse attr()` function, which is responsible for finding the vCPU that matches the user-provided CPUID. If the ID is invalid, `kvm get vcpu by id()` returns NULL, which is not handled properly. This can lead to a denial of service. The `vgic v2 parse attr()` function is similar to the GICv3 uaccess flow, and it checks that `kvm get vcpu by id()` actually returns something and fails the ioctl if not. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.11.5 **Description** The issue is related to a data race in the ALSA /dev/snd/timer driver of the Linux kernel, which can lead to the disclosure of information. This can occur when a read and an ioctl happen simultaneously, potentially allowing a local attacker to access confidential information by exploiting access rights to sound devices. The vulnerable component is located in sound/core/timer.c. **Recommendations** For Linux kernel versions prior to 4.11.5, update to version 4.11.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the sound devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a flaw in the Linux kernel's implementation of Userspace core dumps, specifically in the fill thread core info() function, which can lead to information disclosure. An attacker with a local account can exploit this flaw to crash a program and exfiltrate private kernel data. The vulnerability allows for the potential leak of kernel heap memory due to uninitialized data, which could lead to local information disclosure with no additional execution privileges needed. User interaction is not required for exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.