CVE-2021-4440: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-4440 is a vulnerability in the Linux kernel that affects systems with CONFIGPARAVIRTXXL enabled (commonly enabled by distributions that build in paravirtualized Xen support). The vulnerability was discovered in 2024 and was introduced through a backport of MDS (Microarchitectural Data Sampling) mitigation patches to the 5.10 kernel series (GRSecurity Blog).

The vulnerability occurs in the x8664 syscall return path where CLEARCPUBUFFERS (which includes the VERW instruction for MDS mitigation) is not executed when returning via sysret. This happens because under CONFIGPARAVIRTXXL, the USERGSSYSRET64 macro is runtime patched to only execute swapgs and sysretq instructions, omitting the crucial CLEARCPUBUFFERS operation. The vulnerability has been assigned a CVSS score of 8.8 High (ASEC).

The absence of the VERW-based clearing means there is no mitigation of MDS on the 64-bit syscall path, which is one of the most critical places for such protection. This results in potential information leakage of kernel pointers and data, as well as the ability to break KASLR (Kernel Address Space Layout Randomization) (GRSecurity Blog).

The vulnerability was fixed in Linux kernel version 5.10.218 by dropping the USERGSSYSRET64 paravirt call and explicitly adding CLEARCPUBUFFERS to the syscallreturnviasysret path. The fix ensures that the sysret path properly executes the sequence: swapgs, CLEARCPUBUFFERS, sysretq (Kernel Git).