CVE-2024-53135: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-53135 affects the Linux kernel's KVM (Kernel-based Virtual Machine) implementation, specifically the Intel PT (Processor Trace) virtualization feature in VMX mode. The vulnerability was discovered in late 2024 and affects Linux kernel versions from 5.0 up to versions before 6.1.119, 6.6.63, and 6.11.10 (NVD).

The vulnerability stems from implementation bugs in KVM's Intel PT virtualization guest/host mode. A critical issue is that KVM fails to ensure tracing is disabled and remains disabled prior to VM-Enter, which is required by hardware specifications since loading RTIT_CTL is disallowed when tracing is enabled. Additionally, KVM doesn't properly validate guest CPUID configurations from userspace and incorrectly uses these configurations to determine MSR handling during VM-Enter and VM-Exit operations (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) (NVD).

The vulnerability can lead to multiple adverse effects. For guests, it can cause fatal system crashes due to hardware violations during VM operations. On the host side, improper CPUID configuration handling can result in various issues including WARNs, ToPA ERRORs, potential deadlocks, and overall system stability risks (Kernel Patch).

The issue has been addressed by hiding KVM's pt_mode module parameter behind CONFIG_BROKEN, effectively disabling support for virtualizing Intel PT via guest/host mode unless CONFIG_BROKEN=y. This change was implemented through patches in the Linux kernel. Users should upgrade to Linux kernel versions 6.1.119, 6.6.63, 6.11.10 or later to receive the fix (Kernel Patch).