Rick Edgecombe

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the dma-direct feature in the Linux kernel, where an untrusted host on TDX can cause set memory encrypted() or set memory decrypted() to fail, resulting in shared memory. Callers must handle these errors to avoid returning decrypted memory to the page allocator, which could lead to functional or security issues. DMA could free decrypted/shared pages if dma set decrypted() fails, and in this rare case, the pages should be leaked instead of freed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** In CoCo VMs, it is possible for the untrusted host to cause `set memory encrypted()` or `set memory decrypted()` to fail, resulting in shared memory. Callers need to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The `netvsc` driver could free decrypted/shared pages if `set memory decrypted()` fails. Checking the `decrypted` field in the `gpadl` can decide whether to free the memory. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.37 or later. As a temporary workaround, consider checking the `decrypted` field in the `gpadl` to decide whether to free the memory, and handle errors from `set memory encrypted()` and `set memory decrypted()` to avoid returning decrypted (shared) memory to the page allocator.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue arises in CoCo VMs where an untrusted host can cause `set memory encrypted()` or `set memory decrypted()` to fail, leading to shared memory. Callers must handle these errors to prevent returning decrypted memory to the page allocator, which could result in functional or security issues. The VMBus code may free decrypted pages if `set memory encrypted()` or `set memory decrypted()` fails, potentially leaking pages. **Recommendations** Update to Linux kernel version 6.6.37 or later to resolve the issue. As a temporary workaround, consider implementing error handling for `set memory encrypted()` and `set memory decrypted()` failures to prevent decrypted memory from being returned to the page allocator. Restrict access to the VMBus code to minimize the risk of exploitation until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the KVM (Kernel-based Virtual Machine) component of the Linux kernel. It occurs when memory attributes are set on a GFN (Guest Frame Number) range, and the range has specific properties applied to the TDP (Translation Data Processor). A huge page cannot be used when the attributes are inconsistent. The KVM SET MEMORY ATTRIBUTES operation checks an xarray to ensure it consistently has the incoming attribute. However, an optimization employed by the helper `hugepage has attrs()` function can cause an overflow of the level - 1 `kvm lpage info` array, resulting in a vmalloc out-of-bounds read. The `KVM LPAGE MIXED FLAG` bit is used to mark huge pages with mixed attributes, and it is essentially a permanently elevated count. Huge pages will not be mapped for the GFN at that page size if the count is elevated. The issue can be observed by compiling the kernel with `CONFIG KASAN VMALLOC` and running the selftest "private mem conversions test". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** In CoCo VMs, an untrusted host can cause `set memory encrypted()` or `set memory decrypted()` to fail, resulting in shared memory. Callers must handle these errors to avoid returning decrypted memory to the page allocator, which could lead to functional or security issues. The VMBus device UIO driver could free decrypted/shared pages if `set memory decrypted()` fails. Checking the `decrypted` field in the `gpadl` can help decide whether to free the memory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.