fkie_cve-2024-38610
Vulnerability from fkie_nvd
Published
2024-06-19 14:15
Modified
2024-11-21 09:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map() Patch series "mm: follow_pte() improvements and acrn follow_pte() fixes". Patch #1 fixes a bunch of issues I spotted in the acrn driver. It compiles, that's all I know. I'll appreciate some review and testing from acrn folks. Patch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding more sanity checks, and improving the documentation. Gave it a quick test on x86-64 using VM_PAT that ends up using follow_pte(). This patch (of 3): We currently miss handling various cases, resulting in a dangerous follow_pte() (previously follow_pfn()) usage. (1) We're not checking PTE write permissions. Maybe we should simply always require pte_write() like we do for pin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for ACRN_MEM_ACCESS_WRITE for now. (2) We're not rejecting refcounted pages. As we are not using MMU notifiers, messing with refcounted pages is dangerous and can result in use-after-free. Let's make sure to reject them. (3) We are only looking at the first PTE of a bigger range. We only lookup a single PTE, but memmap->len may span a larger area. Let's loop over all involved PTEs and make sure the PFN range is actually contiguous. Reject everything else: it couldn't have worked either way, and rather made use access PFNs we shouldn't be accessing.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6
Impacted products
Vendor Product Version


To clipboard 

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver.  It\ncompiles, that's all I know.  I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation.  Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing.",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/virt/acrn: corrige las comprobaciones de PFNMAP PTE en acrn_vm_ram_map() Serie de parches \"mm: mejoras en follow_pte() y correcciones en acrn follow_pte()\". El parche n.º 1 soluciona varios problemas que detecté en el controlador acrn. Se compila, eso es todo lo que sé. Apreciaré algunas revisiones y pruebas por parte de la gente de acrn. El parche #2+#3 mejora follow_pte(), pasa un VMA en lugar del MM, agrega más controles de cordura y mejora la documentación. Lo probé rápidamente en x86-64 usando VM_PAT y terminó usando follow_pte(). Este parche (de 3): Actualmente no manejamos varios casos, lo que resulta en un uso peligroso de follow_pte() (anteriormente follow_pfn()). (1) No estamos verificando los permisos de escritura de PTE. ¿Quizás simplemente deberíamos requerir siempre pte_write() como lo hacemos para pin_user_pages_fast(FOLL_WRITE)? Es difícil saberlo, así que busquemos ACRN_MEM_ACCESS_WRITE por ahora. (2) No rechazamos páginas recontadas. Como no utilizamos notificadores MMU, jugar con páginas descontadas es peligroso y puede resultar en use-after-free. Asegurémonos de rechazarlos. (3) Sólo estamos ante el primer PTE de una gama mayor. Solo buscamos una PTE, pero memmap->len puede abarcar un área más grande. Recorramos todos los PTE involucrados y asegurémonos de que el rango de PFN sea realmente contiguo. Rechace todo lo demás: no podría haber funcionado de ninguna manera, y más bien utilizó PFN de acceso a los que no deberíamos acceder.",
      },
   ],
   id: "CVE-2024-38610",
   lastModified: "2024-11-21T09:26:28.660",
   metrics: {},
   published: "2024-06-19T14:15:20.893",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         url: "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Awaiting Analysis",
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.