CVE-2021-38198 Overview
CVE-2021-38198 is a kernel vulnerability affecting the Linux Kernel's KVM (Kernel-based Virtual Machine) memory management unit implementation. The flaw exists in arch/x86/kvm/mmu/paging_tmpl.h where the access permissions of a shadow page are incorrectly computed. This improper computation leads to missing guest protection page faults, potentially allowing a local attacker to cause a denial of service condition on affected systems running virtualized environments.
Critical Impact
Local attackers with low privileges can exploit incorrect shadow page permission computation in the KVM MMU to cause denial of service conditions on systems running virtual machines.
Affected Products
- Linux Kernel versions prior to 5.12.11
- Debian Linux 9.0
Discovery Timeline
- 2021-08-08 - CVE CVE-2021-38198 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-38198
Vulnerability Analysis
This vulnerability resides in the KVM MMU shadow paging implementation, specifically in the paging_tmpl.h header file. Shadow paging is a technique used by hypervisors to translate guest virtual addresses to host physical addresses when hardware-assisted paging (EPT/NPT) is not available or not used.
The core issue involves how inherited guest access permissions are tracked and applied when constructing shadow page table entries. The original implementation incorrectly stored and propagated permissions, using a single unsigned pt_access variable instead of tracking permissions at each page table level. This meant that when walking the guest page tables, the accumulated permissions from parent entries were not correctly inherited by child entries.
When a guest accesses memory, the KVM MMU should enforce the intersection of all permissions along the page table walk path. Due to this flaw, the shadow page entries could have more permissive access rights than intended, causing the hypervisor to fail in generating appropriate protection page faults when the guest attempts unauthorized memory access.
Root Cause
The root cause is an architectural flaw in how the walker structure in paging_tmpl.h tracked page table access permissions. The original code used a single unsigned pt_access variable to store inherited permissions, which was insufficient for correctly computing the accumulated permissions across all levels of the page table hierarchy.
The fix changes this to an array unsigned int pt_access[PT_MAX_FULL_LEVELS] that properly tracks permissions at each level, ensuring that the intersection of permissions from all parent page table entries is correctly computed for the final shadow page entry.
Attack Vector
This is a local attack vector requiring an attacker to have low-privilege access to a system running KVM virtual machines. The attacker can exploit the permission computation flaw to trigger denial of service conditions affecting the availability of the virtualized environment.
The attack does not require user interaction and operates within the scope of the vulnerable component. While the vulnerability does not directly impact confidentiality or integrity, it can cause significant disruption to systems relying on KVM virtualization.
// Security patch showing the fix in arch/x86/kvm/mmu/paging_tmpl.h
// Source: https://github.com/torvalds/linux/commit/b1bd5cba3306691c771d558e94baa73e8b0b96b7
gpa_t pte_gpa[PT_MAX_FULL_LEVELS];
pt_element_t __user *ptep_user[PT_MAX_FULL_LEVELS];
bool pte_writable[PT_MAX_FULL_LEVELS];
- unsigned pt_access;
- unsigned pte_access;
+ unsigned int pt_access[PT_MAX_FULL_LEVELS];
+ unsigned int pte_access;
gfn_t gfn;
struct x86_exception fault;
};
The documentation was also updated to clarify the proper behavior:
// Documentation update in Documentation/virt/kvm/mmu.rst
// Source: https://github.com/torvalds/linux/commit/b1bd5cba3306691c771d558e94baa73e8b0b96b7
shadow pages) so role.quadrant takes values in the range 0..3. Each
quadrant maps 1GB virtual address space.
role.access:
- Inherited guest access permissions in the form uwx. Note execute
- permission is positive, not negative.
+ Inherited guest access permissions from the parent ptes in the form uwx.
+ Note execute permission is positive, not negative.
role.invalid:
The page is invalid and should not be used. It is a root page that is
currently pinned (by a cpu hardware register pointing to it); once it is
Detection Methods for CVE-2021-38198
Indicators of Compromise
- Unexpected crashes or hangs in KVM-based virtual machines
- Kernel panic messages referencing KVM MMU or shadow paging components
- Unusual guest memory access patterns that should have triggered page faults
- System log entries indicating KVM permission validation failures
Detection Strategies
- Monitor for kernel versions prior to 5.12.11 running KVM workloads
- Implement kernel log monitoring for KVM MMU-related error messages
- Use vulnerability scanners to identify unpatched Linux kernel installations
- Review virtualization host configurations for affected kernel versions
Monitoring Recommendations
- Enable detailed KVM tracing and logging on virtualization hosts
- Monitor system stability metrics for KVM-based VMs, particularly unexpected terminations
- Set up alerts for kernel panics or oops related to KVM subsystem
- Regularly audit kernel versions across virtualization infrastructure
How to Mitigate CVE-2021-38198
Immediate Actions Required
- Upgrade the Linux Kernel to version 5.12.11 or later immediately
- Apply vendor-provided security patches from Debian or your Linux distribution
- Prioritize patching on systems running KVM virtualization workloads
- Consider temporarily migrating critical VMs to patched hosts if immediate kernel upgrade is not possible
Patch Information
The vulnerability was addressed in Linux Kernel version 5.12.11. The fix is available in the Linux Kernel ChangeLog 5.12.11 and the specific commit can be reviewed at GitHub Linux Commit b1bd5cba.
For Debian users, security advisories with patched packages are available:
Workarounds
- If upgrading is not immediately possible, consider using hardware-assisted virtualization (EPT/NPT) which does not rely on shadow paging
- Restrict local access to systems running KVM to minimize exposure
- Implement additional monitoring on virtualization hosts to detect potential exploitation attempts
- Consider using alternative virtualization technologies temporarily on critical systems
# Check current kernel version
uname -r
# Verify if KVM modules are loaded
lsmod | grep kvm
# Check for available kernel updates (Debian/Ubuntu)
apt update && apt list --upgradable | grep linux-image
# Check for available kernel updates (RHEL/CentOS)
yum check-update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
