The KVM Hypervisor in ARM systems has a security flaw that allows an attacker to gain privilege on the hypervisor from a less privileged kernel mode. The flaw has not been fixed yet.
- ARM architecture has four exception levels that determine privilege level
- Hypervisor runs in EL2 and is more privileged than guest OS in EL1
- HVC instruction is used for secure communication between OS and hypervisor
- Exception vectors are stored in a special table called exception vector table
- V Bar register points to corresponding exception vector table for each PL
- The KVM Hypervisor in ARM systems has a security flaw that allows an attacker to gain privilege on the hypervisor from a less privileged kernel mode
- The flaw has not been fixed yet
The speaker found the flaw early this year and reported it to the Reddit product security team with a detailed report and an exploit code. After multiple email exchanges, the team understood the problem and escalated it to the KVM team. However, the flaw is still not fixed.