From: He Zhe <zhe...@windriver.com> Sent: Wednesday, April 9, 2025 11:15 PM
>
> Hello,
>
> I'm investigating if v5.15 and early versions are vulnerable to the following
> CVEs. Could
> you please help confirm the following cases?
>
> For CVE-2024-36912, the suggested fix is 211f514ebf1e ("Drivers: hv: vmbus:
> Track
> decrypted status in vmbus_gpadl") according to
> https://www.cve.org/CVERecord?id=CVE-2024-36912
> It seems 211f514ebf1e is based on d4dccf353db8 ("Drivers: hv: vmbus: Mark
> vmbus
> ring buffer visible to host in Isolation VM") which was introduced since
> v5.16. For v5.15
> and early versions, vmbus ring buffer hadn't been made visible to host, so
> there's no
> need to backport 211f514ebf1e to those versions, right?
>
> For CVE-2024-36913, the suggested fix is 03f5a999adba ("Drivers: hv: vmbus:
> Leak
> pages if set_memory_encrypted() fails") according to
> https://www.cve.org/CVERecord?id=CVE-2024-36913
> It seems 03f5a999adba is based on f2f136c05fb6 ("Drivers: hv: vmbus: Add SNP
> support for VMbus channel initiate message") which was introduced since
> v5.16. For
> v5.15 and early verions, monitor pages hadn't been made visible to host, so
> there's no
> need to backport 03f5a999adba to those versions, right?
>
I agree with your conclusions. The two CVE's you list are for Confidential
Computing
virtual machines. Support for CoCo VMs (called "Isolation VMs" in commits
d4dccf353db8 and f2f136c05fb6) on Hyper-V was first added in Linux kernel
version 5.16. So the fixes for the CVEs don't need to be backported to any
versions earlier than 5.16.
Michael Kelley
