CVE-2024-57951
Vulnerability from cvelistv5
Published
2025-02-12 13:27
Modified
2025-02-12 13:27
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to CPUHP_ONLINE: Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set to 1 throughout. However, during a CPU unplug operation, the tick and the clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online state, for instance CFS incorrectly assumes that the hrtick is already active, and the chance of the clockevent device to transition to oneshot mode is also lost forever for the CPU, unless it goes back to a lower state than CPUHP_HRTIMERS_PREPARE once. This round-trip reveals another issue; cpu_base.online is not set to 1 after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer(). Aside of that, the bulk of the per CPU state is not reset either, which means there are dangling pointers in the worst case. Address this by adding a corresponding startup() callback, which resets the stale per CPU state and sets the online flag. [ tglx: Make the new callback unconditionally available, remove the online modification in the prepare() callback and clear the remaining state in the starting callback instead of the prepare callback ]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbcPatch
Impacted products
Vendor Product Version
Linux Linux Version: 54d0d83a53508d687fd4a225f8aa1f18559562d0
Version: 7f4c89400d2997939f6971c7981cc780a219e36b
Version: 6fcbcc6c8e52650749692c7613cbe71bf601670d
Version: 75b5016ce325f1ef9c63e5398a1064cf8a7a7354
Version: 53f408cad05bb987af860af22f4151e5a18e6ee8
Version: 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94
Version: 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94
 Create a notification for this product.
   Linux Linux Version: 6.7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hrtimer.h",
            "kernel/cpu.c",
            "kernel/time/hrtimer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95e4f62df23f4df1ce6ef897d44b8e23c260921a",
              "status": "affected",
              "version": "54d0d83a53508d687fd4a225f8aa1f18559562d0",
              "versionType": "git"
            },
            {
              "lessThan": "14984139f1f2768883332965db566ef26db609e7",
              "status": "affected",
              "version": "7f4c89400d2997939f6971c7981cc780a219e36b",
              "versionType": "git"
            },
            {
              "lessThan": "15b453db41d36184cf0ccc21e7df624014ab6a1a",
              "status": "affected",
              "version": "6fcbcc6c8e52650749692c7613cbe71bf601670d",
              "versionType": "git"
            },
            {
              "lessThan": "3d41dbf82e10c44e53ea602398ab002baec27e75",
              "status": "affected",
              "version": "75b5016ce325f1ef9c63e5398a1064cf8a7a7354",
              "versionType": "git"
            },
            {
              "lessThan": "a5cbbea145b400e40540c34816d16d36e0374fbc",
              "status": "affected",
              "version": "53f408cad05bb987af860af22f4151e5a18e6ee8",
              "versionType": "git"
            },
            {
              "lessThan": "38492f6ee883c7b1d33338bf531a62cff69b4b28",
              "status": "affected",
              "version": "5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94",
              "versionType": "git"
            },
            {
              "lessThan": "2f8dea1692eef2b7ba6a256246ed82c365fdc686",
              "status": "affected",
              "version": "5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/hrtimer.h",
            "kernel/cpu.c",
            "kernel/time/hrtimer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.290",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhrtimers: Handle CPU state correctly on hotplug\n\nConsider a scenario where a CPU transitions from CPUHP_ONLINE to halfway\nthrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to\nCPUHP_ONLINE:\n\nSince hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set\nto 1 throughout. However, during a CPU unplug operation, the tick and the\nclockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online\nstate, for instance CFS incorrectly assumes that the hrtick is already\nactive, and the chance of the clockevent device to transition to oneshot\nmode is also lost forever for the CPU, unless it goes back to a lower state\nthan CPUHP_HRTIMERS_PREPARE once.\n\nThis round-trip reveals another issue; cpu_base.online is not set to 1\nafter the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().\n\nAside of that, the bulk of the per CPU state is not reset either, which\nmeans there are dangling pointers in the worst case.\n\nAddress this by adding a corresponding startup() callback, which resets the\nstale per CPU state and sets the online flag.\n\n[ tglx: Make the new callback unconditionally available, remove the online\n  \tmodification in the prepare() callback and clear the remaining\n  \tstate in the starting callback instead of the prepare callback ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-12T13:27:53.124Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a"
        },
        {
          "url": "https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686"
        }
      ],
      "title": "hrtimers: Handle CPU state correctly on hotplug",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57951",
    "datePublished": "2025-02-12T13:27:53.124Z",
    "dateReserved": "2025-01-19T11:50:08.381Z",
    "dateUpdated": "2025-02-12T13:27:53.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-57951\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-12T14:15:31.403\",\"lastModified\":\"2025-02-14T15:57:18.047\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhrtimers: Handle CPU state correctly on hotplug\\n\\nConsider a scenario where a CPU transitions from CPUHP_ONLINE to halfway\\nthrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to\\nCPUHP_ONLINE:\\n\\nSince hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set\\nto 1 throughout. However, during a CPU unplug operation, the tick and the\\nclockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online\\nstate, for instance CFS incorrectly assumes that the hrtick is already\\nactive, and the chance of the clockevent device to transition to oneshot\\nmode is also lost forever for the CPU, unless it goes back to a lower state\\nthan CPUHP_HRTIMERS_PREPARE once.\\n\\nThis round-trip reveals another issue; cpu_base.online is not set to 1\\nafter the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().\\n\\nAside of that, the bulk of the per CPU state is not reset either, which\\nmeans there are dangling pointers in the worst case.\\n\\nAddress this by adding a corresponding startup() callback, which resets the\\nstale per CPU state and sets the online flag.\\n\\n[ tglx: Make the new callback unconditionally available, remove the online\\n  \\tmodification in the prepare() callback and clear the remaining\\n  \\tstate in the starting callback instead of the prepare callback ]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hrtimers: Controlar el estado de la CPU correctamente en hotplug Considere un escenario donde una CPU pasa de CPUHP_ONLINE a la mitad de un hotunplug de CPU hasta CPUHP_HRTIMERS_PREPARE, y luego vuelve a CPUHP_ONLINE: Dado que hrtimers_prepare_cpu() no se ejecuta, cpu_base.hres_active permanece establecido en 1 durante todo el proceso. Sin embargo, durante una operaci\u00f3n de desconexi\u00f3n de la CPU, el tick y los clockevents se apagan en CPUHP_AP_TICK_DYING. Al volver al estado en l\u00ednea, por ejemplo, CFS supone incorrectamente que el hrtick ya est\u00e1 activo, y la posibilidad de que el dispositivo clockevent pase al modo one-shot tambi\u00e9n se pierde para siempre para la CPU, a menos que vuelva a un estado inferior a CPUHP_HRTIMERS_PREPARE una vez. Este viaje de ida y vuelta revela otro problema; cpu_base.online no se establece en 1 despu\u00e9s de la transici\u00f3n, lo que aparece como WARN_ON_ONCE en enqueue_hrtimer(). Aparte de eso, la mayor parte del estado por CPU tampoco se restablece, lo que significa que hay punteros inactivos en el peor de los casos. Resuelva esto agregando una devoluci\u00f3n de llamada startup() correspondiente, que restablece el estado obsoleto por CPU y establece el indicador en l\u00ednea. [ tglx: haga que la nueva devoluci\u00f3n de llamada est\u00e9 disponible incondicionalmente, elimine la modificaci\u00f3n en l\u00ednea en la devoluci\u00f3n de llamada prepare() y borre el estado restante en la devoluci\u00f3n de llamada de inicio en lugar de la devoluci\u00f3n de llamada de preparaci\u00f3n ]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.302\",\"versionEndExcluding\":\"4.20\",\"matchCriteriaId\":\"2AB35967-8241-4BF5-B781-B331B439E208\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.264\",\"versionEndExcluding\":\"5.4.290\",\"matchCriteriaId\":\"D484C596-D387-4551-B727-6BC0B030AA70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.204\",\"versionEndExcluding\":\"5.10.234\",\"matchCriteriaId\":\"33F01B45-42CA-4B50-B3A4-7A67DB1A534B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.143\",\"versionEndExcluding\":\"5.15.177\",\"matchCriteriaId\":\"477F2C85-CBB5-44FD-85D9-2AF8197641CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.68\",\"versionEndExcluding\":\"6.1.127\",\"matchCriteriaId\":\"D5FDA4DE-7749-464F-85A4-56CE4C6B7A15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.7\",\"versionEndExcluding\":\"6.6.74\",\"matchCriteriaId\":\"823FCD43-4F73-4C5C-BDA7-21CE53729898\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.11\",\"matchCriteriaId\":\"B7D0DBC3-F63C-4396-8A47-6F3D4FA0556E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A073481-106D-4B15-B4C7-FB0213B8E1D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE491969-75AE-4A6B-9A58-8FC5AF98798F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"93C0660D-7FB8-4FBA-892A-B064BA71E49E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"034C36A6-C481-41F3-AE9A-D116E5BE6895\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"5DFCDFB8-4FD0-465A-9076-D813D78FE51B\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.