{"id":"CVE-2021-46978","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nVMX: Always make an attempt to map eVMCS after migration\n\nWhen enlightened VMCS is in use and nested state is migrated with\nvmx_get_nested_state()/vmx_set_nested_state() KVM can't map evmcs\npage right away: evmcs gpa is not 'struct kvm_vmx_nested_state_hdr'\nand we can't read it from VP assist page because userspace may decide\nto restore HV_X64_MSR_VP_ASSIST_PAGE after restoring nested state\n(and QEMU, for example, does exactly that). To make sure eVMCS is\nmapped /vmx_set_nested_state() raises KVM_REQ_GET_NESTED_STATE_PAGES\nrequest.\n\nCommit f2c7ef3ba955 (\"KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES\non nested vmexit\") added KVM_REQ_GET_NESTED_STATE_PAGES clearing to\nnested_vmx_vmexit() to make sure MSR permission bitmap is not switched\nwhen an immediate exit from L2 to L1 happens right after migration (caused\nby a pending event, for example). Unfortunately, in the exact same\nsituation we still need to have eVMCS mapped so\nnested_sync_vmcs12_to_shadow() reflects changes in VMCS12 to eVMCS.\n\nAs a band-aid, restore nested_get_evmcs_page() when clearing\nKVM_REQ_GET_NESTED_STATE_PAGES in nested_vmx_vmexit(). The 'fix' is far\nfrom being ideal as we can't easily propagate possible failures and even if\nwe could, this is most likely already too late to do so. The whole\n'KVM_REQ_GET_NESTED_STATE_PAGES' idea for mapping eVMCS after migration\nseems to be fragile as we diverge too much from the 'native' path when\nvmptr loading happens on vmx_set_nested_state().","modified":"2026-03-13T05:20:26.178899Z","published":"2024-02-28T09:15:37.183Z","references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/f5c7e8425f18fdb9bdb7d13340651d7876890329"},{"type":"FIX","url":"https://git.kernel.org/stable/c/200a45649ab7361bc80c70aebf7165b64f9a6c9f"},{"type":"FIX","url":"https://git.kernel.org/stable/c/bd0e8455b85b651a4c77de9616e307129b15aaa7"},{"type":"FIX","url":"https://git.kernel.org/stable/c/c8bf64e3fb77cc19bad146fbe26651985b117194"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"5.10.13"},{"fixed":"5.10.38"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.11.22"}]},{"events":[{"introduced":"5.12"},{"fixed":"5.12.5"}]},{"events":[{"introduced":"0"},{"last_affected":"5.13-rc1"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46978.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}