Per https://www.spinics.net/lists/kvm/msg156651.html:

Due to a combination of a bug in nEPT (patch 1), and a broken safety
net elsewhere in the MMU code (patch 2), a malicious guest could use
nested EPT to overwrite kernel memory.  In particular, the arrays in
struct guest_walker could be accessed with index -1 and the "level" and
"max_level" fields overwritten:

struct guest_walker {
        int level;
        unsigned max_level;
        gfn_t table_gfn[PT_MAX_FULL_LEVELS];
	...
}

Because the level field is used as an index into array, it is at least
possible to overwrite the kernel stack and this should be treated as a
possible guest-to-host escape on Intel hosts with nested virtualization
enabled.

While the incorrect code in patch 1 is present since Linux 3.12, the
bug only affects Linux kernels 4.6 and newer.  Therefore, stable kernels
only need to apply the second patch, which has the advantage of applying
more cleanly.

The bug was discovered by Ladislav (Ladi) Prosek from Red Hat.


Containers folks, can you please make sure we apply the patch?