CVE-2023-54092

Vulnerability

Description

In the Linux kernel, the KVM for s390 (KVM/s390) protected virtualization (PV) code contains a bug in the s390_replace_asce() function.ce() function. When replacing a guest's Address Space Control Element (ASCE), the function fails to set the index field of the new struct page` to 0. The index field of the page corresponding to a guest ASCE should always be 0; failing to reset it means the new ASCE retains a stale index value from the old page orignal page, leading to incorrect addresses being used during page table invalidation notifications [1][2].

Exploitation and

Attack Surface

This vulnerability is triggered during normal KVM operation when the host replaces a guest's ASCE, for example during certain memory management operations. The bug manifests when the guest's prefix (lowcore) is unmapped and the invalidation notifier is called with the wrong address derived from the non-zero index. No special attacker privileges are required beyond the ability to run a KVM guest on an s390 host with protected virtualization enabled; the issue is a logic error in the host kernel code, not in guest-controlled data.

Impact

If the index is incorrect, the kernel may pass wrong addresses to the pte invalidation notifier. This can result in a validity intercept, which typically causes the VM to crash (i.e., a denial of service). The crash is triggered by the host kernel, not by malicious guest input, but it can be reliably provoked by normal guest operations that cause ASCE replacement.

Mitigation

Status

The fix has been applied to the Linux kernel stable tree. The commits referenced (017f686bcb536ff23d49c143fdf9d1fd89a9a924 and f1c7a776338f2ac5e34da40e58fe9f33ea390a5e correct the issue by ensuring the index field is set to 0 in s390_replace_asce() [1][2]. Users should update their kernels containing these commits.