7

CVE-2026-52969

KVM: Reject wrapped offset in kvm_reset_dirty_gfn()

In the Linux kernel, the following vulnerability has been resolved:

KVM: Reject wrapped offset in kvm_reset_dirty_gfn()

kvm_reset_dirty_gfn() guards the gfn range with

	if (!memslot || (offset + __fls(mask)) >= memslot->npages)
		return;

but offset is u64 and the addition is unchecked.  The check can be
silently bypassed by a u64 wrap.

The dirty ring backing those entries is MAP_SHARED at
KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the
slot and offset fields of any entry between when the kernel pushes
them and when KVM_RESET_DIRTY_RINGS consumes them.  On reset,
kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds
them straight back into this check; only the flags handshake is
treated as the handover, the slot/offset payload is taken on trust.

Crafting two entries

	entry[i].offset   = 0xffffffffffffffc1
	entry[i+1].offset = 0

makes the coalescing loop in kvm_dirty_ring_reset() compute

	delta = (s64)(0 - 0xffffffffffffffc1) = 63

which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the
existing mask by setting bit 63.  The trailing kvm_reset_dirty_gfn()
call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;
the sum is 0 in u64 and the bounds check passes.

That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()
unchanged.  On the legacy MMU path -- kvm_memslots_have_rmaps() ==
true, i.e. shadow paging, any VM that has allocated shadow roots, or
a write-tracked slot -- it reaches gfn_to_rmap(), which indexes
slot->arch.rmap[0][] with a near-U64_MAX gfn.  That is an
out-of-bounds load of a kvm_rmap_head, followed by a conditional
clear of PT_WRITABLE_MASK in whatever the loaded pointer points at.
The path is reachable from any process holding /dev/kvm.

Range-check offset on its own first, so the addition cannot wrap.
memslot->npages is bounded well below U64_MAX, so once offset <
npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG)
stays in range.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 10
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 6
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 7
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 8
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 9
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.043
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7 1 5.9
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

https://git.kernel.org/stable/c/74f1a22f7a80f03d28ad8551a2d25d563433addf
https://git.kernel.org/stable/c/0eb281eb95b2d4eea4db1da5fe91023aecc97095
https://git.kernel.org/stable/c/01b71b930f15728aa8599478a7ce90c19dcd9fc2
https://git.kernel.org/stable/c/b315b033a877b1ee6d827810b5d7bb4392ffcf8d
https://git.kernel.org/stable/c/0d419c23bb11b5c9664de777c47c1f04a235882d
https://git.kernel.org/stable/c/ecf9b3ea7847fe14f34b8c41f00de1eb95c747da
https://git.kernel.org/stable/c/577a8d3bae0531f0e5ccfac919cd8192f920a804
https://bugzilla.redhat.com/show_bug.cgi?id=2492434
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52969.json
https://access.redhat.com/security/cve/CVE-2026-52969