HIGH Introduced in 6.10
kvm SEV PSC OOB Write
CVE-2026-53360
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use As per the GHCB spec, when using GHCB v2+ require the software scratch area to reside in the GHCB's shared buffer. Note, things like Page State Change (PSC) requests _rely_ on this behavior, as the guest can't provide a length when making the request, i.e. the size of the guest payload is bounded by the size of the shared buffer. Failure to force usage of the GHCB, and a slew of other flaws, lets a malicious SNP guest corrupt host kernel heap memory, and leak host heap layout information. setup_vmgexit_scratch() allocates a buffer via kvzalloc(exit_info_2), where exit_info_2 is guest-controlled. With exit_info_2=24, this yields a 24-byte allocation in kmalloc-cg-32 (32-byte slab objects). The buffer holds an 8-byte psc_hdr followed by 8-byte psc_entry structs, so only entries[0] and entries[1] are in-bounds. snp_begin_psc() validates end_entry against VMGEXIT_PSC_MAX_COUNT (253) but NOT against the actual buffer size: idx_end = hdr->end_entry; if (idx_end >= VMGEXIT_PSC_MAX_COUNT) { // checks 253, not buffer snp_complete_psc(svm, ...); return 1; } for (idx = idx_start; idx <= idx_end; idx++) { entry_start = entries[idx]; // OOB when idx >= 2 The guest sets end_entry=10+, causing the host to iterate entries[2+] which are OOB into adjacent slab objects. For each OOB entry: - The host reads 8 bytes (OOB READ / info leak oracle) - If the data passes PSC validation, __snp_complete_one_psc() writes cur_page = 1 or 512 into the entry (OOB WRITE, sev.c:3806) - If validation fails, the error response reveals whether adjacent memory is zero vs non-zero (information disclosure to guest) The guest controls allocation size (exit_info_2), entry range (cur_entry/end_entry), and can fire unlimited VMGEXITs to repeatedly hit different slab positions. By exploiting the variety of bugs, a malicious SEV-SNP guest can: - OOB read adjacent kmalloc-cg-32 objects (heap layout disclosure) - OOB write cur_page bits into adjacent objects (heap corruption) - Trigger use-after-free conditions across VMGEXITs E.g. with KASAN enabled, a single insmod of the PoC guest module produces 73 KASAN reports: BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x126/0x890 Read of size 8 at addr ffff888219ffb5e0 by task qemu-system-x86/2199 BUG: KASAN: slab-out-of-bounds in snp_begin_psc+0x468/0x890 Write of size 8 at addr ffff888351566648 by task qemu-system-x86/2199 The buggy address belongs to the object at ffff888XXXXXXXXX which belongs to the cache kmalloc-cg-32 of size 32 The buggy address is located N bytes to the right of allocated 32-byte region [ffff888XXXXXXXXX, ffff888XXXXXXXXX) Breakdown: 62 slab-out-of-bounds (reads + writes past allocation) 7 slab-use-after-free 4 use-after-free All credit to Stan for the wonderful description and reproducer! [sean: write changelog]
02KernelScan AI Analysis
Risk summary
A malicious SEV-SNP guest can exploit missing bounds validation in the host kernel's Page State Change (PSC) handler to perform out-of-bounds reads and writes on host kernel heap memory. By controlling the scratch buffer allocation size and PSC entry range via guest-controlled VMGEXIT parameters, the guest can leak host heap layout and corrupt adjacent slab objects. This constitutes a guest-to-host escape primitive affecting any host running SEV-SNP guests with GHCB v2+.
Vulnerability analysis
The root cause is that setup_vmgexit_scratch() allocates a kernel buffer using kvzalloc(exit_info_2) where exit_info_2 is entirely guest-controlled, and snp_begin_psc() validates end_entry only against VMGEXIT_PSC_MAX_COUNT (253) rather than against the actual allocated buffer size. A guest can set exit_info_2=24 to get a 24-byte allocation (kmalloc-cg-32), then set end_entry to a large value (e.g. 10+), causing the host to iterate entries[idx] far beyond the 2 valid entries in the allocation, reading and writing into adjacent slab objects. The OOB reads leak heap layout; the OOB writes corrupt adjacent objects with cur_page values; repeated VMGEXITs can trigger use-after-free conditions. The fix enforces that when GHCB v2+ is in use, the scratch area must reside within the GHCB's shared buffer (which has a bounded, known size), preventing the guest from supplying an arbitrary allocation size. The attack surface is a local unprivileged guest VM (from the host's perspective, the QEMU process runs as a low-privilege user) triggering VMGEXIT hypercalls, resulting in a scope change from guest to host kernel.
03Fix Versions
| Branch | Introduced | Fixed in | Patch commit |
|---|---|---|---|
| 6.12 | 6.10 | 6.12.93 | bf9ba093fbb8 |
| 6.18 | 6.10 | 6.18.35 | c9b4198fbc6e |
| 7.0 | 6.10 | 7.0.12 | b328ede59ac3 |
| mainline | 6.10 | 7.1 | db3f2195d293 |