CVE-2023-53996

Root

Cause

The vulnerability resides in the Linux kernel's SEV (Secure Encrypted Virtualization) code. The function enc_dec_hypercall() accepted a page count (npages) instead of a byte size, forcing callers to round up their requests. When a virtual address (vaddr) was not page-aligned, the rounding caused pages that should remain encrypted to be marked as decrypted via the encryption status hypercall. [1]

Exploitation

An attacker with access to the hypervisor or migration infrastructure could trigger this bug during live migration. No special privileges on the guest are required; the flaw is in the kernel's handling of memory encryption status updates. As the official description states, 'non-page aligned vaddrs caused pages to be spuriously marked as decrypted via the encryption status hypercall.' [1]

Impact

The spurious decryption marking leads to 'consistent corruption of pages during live migration.' Live migration relies on accurate encryption status to transfer pages from the correct perspective (encrypted vs. decrypted). Any mismatch results in data corruption, potentially causing guest crashes or data leaks. [1]

Mitigation

The fix changes enc_dec_hypercall() to accept a size instead of a page count, ensuring correct handling for non-page-aligned addresses. The patch was committed to the stable kernel tree. Users should apply the update to prevent migration-induced corruption. [1]