CVE-2023-54296 (GCVE-0-2023-54296)
Vulnerability from cvelistv5
Published
2025-12-30 12:23
Modified
2025-12-30 12:23
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Fix a goof where KVM tries to grab source vCPUs from the destination VM when doing intrahost migration. Grabbing the wrong vCPU not only hoses the guest, it also crashes the host due to the VMSA pointer being left NULL. BUG: unable to handle page fault for address: ffffe38687000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151 Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023 RIP: 0010:__free_pages+0x15/0xd0 RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000 RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000 R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> sev_free_vcpu+0xcb/0x110 [kvm_amd] svm_vcpu_free+0x75/0xf0 [kvm_amd] kvm_arch_vcpu_destroy+0x36/0x140 [kvm] kvm_destroy_vcpus+0x67/0x100 [kvm] kvm_arch_destroy_vm+0x161/0x1d0 [kvm] kvm_put_kvm+0x276/0x560 [kvm] kvm_vm_release+0x25/0x30 [kvm] __fput+0x106/0x280 ____fput+0x12/0x20 task_work_run+0x86/0xb0 do_exit+0x2e3/0x9c0 do_group_exit+0xb1/0xc0 __x64_sys_exit_group+0x1b/0x20 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> CR2: ffffe38687000000
References
Impacted products
Vendor Product Version
Linux Linux Version: 6defa24d3b12bbd418bc8526dea1cbc605265c06
Version: 6defa24d3b12bbd418bc8526dea1cbc605265c06
Version: 6defa24d3b12bbd418bc8526dea1cbc605265c06
Version: 229334a8b1d0d5e60d3bdd091bbc4552d5321c97
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/sev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c18ace750e4d4d58d7da02d1c669bf21c824158",
              "status": "affected",
              "version": "6defa24d3b12bbd418bc8526dea1cbc605265c06",
              "versionType": "git"
            },
            {
              "lessThan": "2ee4b180d51b12a45bdd3264629719ef6a572a73",
              "status": "affected",
              "version": "6defa24d3b12bbd418bc8526dea1cbc605265c06",
              "versionType": "git"
            },
            {
              "lessThan": "f1187ef24eb8f36e8ad8106d22615ceddeea6097",
              "status": "affected",
              "version": "6defa24d3b12bbd418bc8526dea1cbc605265c06",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "229334a8b1d0d5e60d3bdd091bbc4552d5321c97",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/svm/sev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.54",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration\n\nFix a goof where KVM tries to grab source vCPUs from the destination VM\nwhen doing intrahost migration.  Grabbing the wrong vCPU not only hoses\nthe guest, it also crashes the host due to the VMSA pointer being left\nNULL.\n\n  BUG: unable to handle page fault for address: ffffe38687000000\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] SMP NOPTI\n  CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO       6.5.0-smp--fff2e47e6c3b-next #151\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023\n  RIP: 0010:__free_pages+0x15/0xd0\n  RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100\n  RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000\n  RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000\n  R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000\n  R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000\n  FS:  0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   sev_free_vcpu+0xcb/0x110 [kvm_amd]\n   svm_vcpu_free+0x75/0xf0 [kvm_amd]\n   kvm_arch_vcpu_destroy+0x36/0x140 [kvm]\n   kvm_destroy_vcpus+0x67/0x100 [kvm]\n   kvm_arch_destroy_vm+0x161/0x1d0 [kvm]\n   kvm_put_kvm+0x276/0x560 [kvm]\n   kvm_vm_release+0x25/0x30 [kvm]\n   __fput+0x106/0x280\n   ____fput+0x12/0x20\n   task_work_run+0x86/0xb0\n   do_exit+0x2e3/0x9c0\n   do_group_exit+0xb1/0xc0\n   __x64_sys_exit_group+0x1b/0x20\n   do_syscall_64+0x41/0x90\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n   \u003c/TASK\u003e\n  CR2: ffffe38687000000"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:23:33.141Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c18ace750e4d4d58d7da02d1c669bf21c824158"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ee4b180d51b12a45bdd3264629719ef6a572a73"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1187ef24eb8f36e8ad8106d22615ceddeea6097"
        }
      ],
      "title": "KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54296",
    "datePublished": "2025-12-30T12:23:33.141Z",
    "dateReserved": "2025-12-30T12:06:44.528Z",
    "dateUpdated": "2025-12-30T12:23:33.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54296\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:18.697\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration\\n\\nFix a goof where KVM tries to grab source vCPUs from the destination VM\\nwhen doing intrahost migration.  Grabbing the wrong vCPU not only hoses\\nthe guest, it also crashes the host due to the VMSA pointer being left\\nNULL.\\n\\n  BUG: unable to handle page fault for address: ffffe38687000000\\n  #PF: supervisor read access in kernel mode\\n  #PF: error_code(0x0000) - not-present page\\n  PGD 0 P4D 0\\n  Oops: 0000 [#1] SMP NOPTI\\n  CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO       6.5.0-smp--fff2e47e6c3b-next #151\\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023\\n  RIP: 0010:__free_pages+0x15/0xd0\\n  RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246\\n  RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100\\n  RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000\\n  RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000\\n  R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000\\n  R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000\\n  FS:  0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000\\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n  CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0\\n  PKRU: 55555554\\n  Call Trace:\\n   \u003cTASK\u003e\\n   sev_free_vcpu+0xcb/0x110 [kvm_amd]\\n   svm_vcpu_free+0x75/0xf0 [kvm_amd]\\n   kvm_arch_vcpu_destroy+0x36/0x140 [kvm]\\n   kvm_destroy_vcpus+0x67/0x100 [kvm]\\n   kvm_arch_destroy_vm+0x161/0x1d0 [kvm]\\n   kvm_put_kvm+0x276/0x560 [kvm]\\n   kvm_vm_release+0x25/0x30 [kvm]\\n   __fput+0x106/0x280\\n   ____fput+0x12/0x20\\n   task_work_run+0x86/0xb0\\n   do_exit+0x2e3/0x9c0\\n   do_group_exit+0xb1/0xc0\\n   __x64_sys_exit_group+0x1b/0x20\\n   do_syscall_64+0x41/0x90\\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n   \u003c/TASK\u003e\\n  CR2: ffffe38687000000\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2ee4b180d51b12a45bdd3264629719ef6a572a73\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5c18ace750e4d4d58d7da02d1c669bf21c824158\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f1187ef24eb8f36e8ad8106d22615ceddeea6097\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.