fkie_cve-2024-35791
Vulnerability from fkie_nvd
Published
2024-05-17 13:15
Modified
2024-11-21 09:20
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm-\u003elock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm-\u003elock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn\u0027t fully\nresolve the bug, as region-\u003epages is also dynamically allocated.  I.e. the\nregion structure itself would be fine, but region-\u003epages could be freed.\n\nFlushing multiple pages under kvm-\u003elock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: SVM: Vaciar p\u00e1ginas bajo kvm-\u0026gt;lock para arreglar UAF en svm_register_enc_region() Realice el vaciado de cach\u00e9 de las p\u00e1ginas convertidas en svm_register_enc_region() antes de eliminar kvm-\u0026gt;lock para arreglar el uso -Problemas posteriores a la liberaci\u00f3n en los que la regi\u00f3n y/o su conjunto de p\u00e1ginas podr\u00edan liberarse mediante una tarea diferente, por ejemplo, si el espacio de usuario ya tiene __unregister_enc_region_locked() en cola para la regi\u00f3n. Tenga en cuenta que la alternativa \"obvia\" de usar variables locales no resuelve completamente el error, ya que regi\u00f3n-\u0026gt;p\u00e1ginas tambi\u00e9n se asigna din\u00e1micamente. Es decir, la estructura de la regi\u00f3n en s\u00ed estar\u00eda bien, pero se podr\u00edan liberar regiones-\u0026gt;p\u00e1ginas. Vaciar varias p\u00e1ginas bajo kvm-\u0026gt;lock es desafortunado, pero todo el flujo es un camino lento poco com\u00fan, y el vaciado manual solo es necesario en CPU que carecen de coherencia para la memoria cifrada."
    }
  ],
  "id": "CVE-2024-35791",
  "lastModified": "2024-11-21T09:20:54.250",
  "metrics": {},
  "published": "2024-05-17T13:15:58.873",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.