{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2021-47230",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-04-10T18:59:19.530Z",
        "datePublished": "2024-05-21T14:19:33.759Z",
        "dateUpdated": "2024-08-04T05:32:07.459Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:04:18.640Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Immediately reset the MMU context when the SMM flag is cleared\n\nImmediately reset the MMU context when the vCPU's SMM flag is cleared so\nthat the SMM flag in the MMU role is always synchronized with the vCPU's\nflag.  If RSM fails (which isn't correctly emulated), KVM will bail\nwithout calling post_leave_smm() and leave the MMU in a bad state.\n\nThe bad MMU role can lead to a NULL pointer dereference when grabbing a\nshadow page's rmap for a page fault as the initial lookups for the gfn\nwill happen with the vCPU's SMM flag (=0), whereas the rmap lookup will\nuse the shadow page's SMM flag, which comes from the MMU (=1).  SMM has\nan entirely different set of memslots, and so the initial lookup can find\na memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1).\n\n  general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\n  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n  CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n  RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline]\n  RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947\n  Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44\n  RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40\n  RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001\n  RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002\n  R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000\n  R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000\n  FS:  000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline]\n   mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604\n   __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline]\n   direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769\n   kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline]\n   kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065\n   vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122\n   vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428\n   vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494\n   kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722\n   kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:1069 [inline]\n   __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055\n   do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n  RIP: 0033:0x440ce9"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "arch/x86/kvm/x86.c"
                    ],
                    "versions": [
                        {
                            "version": "9ec19493fb86",
                            "lessThan": "cbb425f62df9",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "9ec19493fb86",
                            "lessThan": "669a8866e468",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "9ec19493fb86",
                            "lessThan": "df9a40cfb3be",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "9ec19493fb86",
                            "lessThan": "78fcb2c91adf",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "arch/x86/kvm/x86.c"
                    ],
                    "versions": [
                        {
                            "version": "5.1",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "5.1",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.4.128",
                            "lessThanOrEqual": "5.4.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.46",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.12.13",
                            "lessThanOrEqual": "5.12.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.13",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/cbb425f62df9df7abee4b3f068f7ed6ffc3561e2"
                },
                {
                    "url": "https://git.kernel.org/stable/c/669a8866e468fd020d34eb00e08cb41d3774b71b"
                },
                {
                    "url": "https://git.kernel.org/stable/c/df9a40cfb3be2cbeb1c17bb67c59251ba16630f3"
                },
                {
                    "url": "https://git.kernel.org/stable/c/78fcb2c91adfec8ce3a2ba6b4d0dda89f2f4a7c6"
                }
            ],
            "title": "KVM: x86: Immediately reset the MMU context when the SMM flag is cleared",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "problemTypes": [
                    {
                        "descriptions": [
                            {
                                "type": "CWE",
                                "cweId": "CWE-476",
                                "lang": "en",
                                "description": "CWE-476 NULL Pointer Dereference"
                            }
                        ]
                    }
                ],
                "affected": [
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "9ec19493fb86",
                                "status": "affected",
                                "lessThan": "cbb425f62df9",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "9ec19493fb86",
                                "status": "affected",
                                "lessThan": "669a8866e468",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "9ec19493fb86",
                                "status": "affected",
                                "lessThan": "df9a40cfb3be",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "9ec19493fb86",
                                "status": "affected",
                                "lessThan": "78fcb2c91adf",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "0",
                                "status": "unaffected",
                                "lessThan": "5.1",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "5.4.128",
                                "status": "unaffected",
                                "lessThan": "5.5",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "5.10.46",
                                "status": "unaffected",
                                "lessThan": "5.11",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "5.12.13",
                                "status": "unaffected",
                                "lessThan": "5.13",
                                "versionType": "custom"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "5.13",
                                "status": "unaffected"
                            }
                        ]
                    },
                    {
                        "vendor": "linux",
                        "product": "linux_kernel",
                        "cpes": [
                            "cpe:2.3:o:linux:linux_kernel:5.1:*:*:*:*:*:*:*"
                        ],
                        "defaultStatus": "unknown",
                        "versions": [
                            {
                                "version": "5.1",
                                "status": "affected"
                            }
                        ]
                    }
                ],
                "metrics": [
                    {
                        "cvssV3_1": {
                            "scope": "UNCHANGED",
                            "version": "3.1",
                            "baseScore": 6.6,
                            "attackVector": "LOCAL",
                            "baseSeverity": "MEDIUM",
                            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
                            "integrityImpact": "HIGH",
                            "userInteraction": "REQUIRED",
                            "attackComplexity": "LOW",
                            "availabilityImpact": "HIGH",
                            "privilegesRequired": "LOW",
                            "confidentialityImpact": "NONE"
                        }
                    },
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-06-04T19:56:04.916742Z",
                                "id": "CVE-2021-47230",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-06-06T19:56:39.707Z"
                }
            },
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-04T05:32:07.459Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/cbb425f62df9df7abee4b3f068f7ed6ffc3561e2",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/669a8866e468fd020d34eb00e08cb41d3774b71b",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/df9a40cfb3be2cbeb1c17bb67c59251ba16630f3",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/78fcb2c91adfec8ce3a2ba6b4d0dda89f2f4a7c6",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    }
}