Critical Vulnerability Information Vulnerability Description: - KVM has a bug in handling the DR6 register, which may cause KVM to load stale values from vcpu->arch.dr6. - When a guest accesses DR registers and the host user space is not debugging the guest, KVM disables DR interception and loads the guest’s DR values into hardware. This allows the guest to freely access DRs, such as configuring breakpoints. Root Cause: - The logical behavior of DR0-DR3 is identical between VMX and SVM, and also identical between KVM_DEBUGREG_BP_ENABLED (user space debugging guest) and KVM_DEBUGREG_WONT_EXIT (guest using DRs). Therefore, KVM handles DR0-DR3 loading in common code, located outside the core kvm_x86_ops.vcpu_run() loop. - For DR6, the guest’s value does not need to be loaded into hardware, as SVM provides a dedicated VMCB field to store the guest value, while VMX requires software to manually load the guest value. Fix: - Move the conditional loading of hardware DR6 with guest values out of the core .vcpu_run() loop to fix the issue where KVM loads stale vcpu->arch.dr6 values. Impact Scope: - Primarily affects nested VMX environments, as KVM handles the fast path for VMX preemption timers. The time window during which hardware DR6 is modified and read is several orders of magnitude larger in nested setups compared to non-nested setups. Commit Information: - Author: Sean Christopherson - Committer: Greg Kroah-Hartman - Commit Time: 2025-01-24 17:18:33 -0800 - Commit ID: 9efb2b996c86664bbdbdd2cdb354ac9627eb20