fkie_cve-2024-41070
Vulnerability from fkie_nvd
Published
2024-07-29 15:15
Modified
2024-11-21 09:32
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bfPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50aPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bfPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffePatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BCD1D392-BEF8-4D8D-B191-C64E1875241F",
              "versionEndExcluding": "5.4.281",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "12CD4E48-26A1-40B4-AF6A-1CC066193F4C",
              "versionEndExcluding": "5.10.223",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D6B1E23-6E6C-4761-ACD4-EA687A95F56F",
              "versionEndExcluding": "5.15.164",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B46438B-72B8-4053-8554-94AED3EB13EB",
              "versionEndExcluding": "6.1.101",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "972274A2-D688-4C37-BE42-689B58B4C225",
              "versionEndExcluding": "6.6.42",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "01E300B3-8B39-4A2D-8B03-4631433D3915",
              "versionEndExcluding": "6.9.11",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n  BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n  Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n  CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n  Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n  Call Trace:\n    dump_stack_lvl+0xb4/0x108 (unreliable)\n    print_report+0x2b4/0x6ec\n    kasan_report+0x118/0x2b0\n    __asan_load4+0xb8/0xd0\n    kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n    kvm_vfio_set_attr+0x524/0xac0 [kvm]\n    kvm_device_ioctl+0x144/0x240 [kvm]\n    sys_ioctl+0x62c/0x1810\n    system_call_exception+0x190/0x440\n    system_call_vectored_common+0x15c/0x2ec\n  ...\n  Freed by task 0:\n   ...\n   kfree+0xec/0x3e0\n   release_spapr_tce_table+0xd4/0x11c [kvm]\n   rcu_core+0x568/0x16a0\n   handle_softirqs+0x23c/0x920\n   do_softirq_own_stack+0x6c/0x90\n   do_softirq_own_stack+0x58/0x90\n   __irq_exit_rcu+0x218/0x2d0\n   irq_exit+0x30/0x80\n   arch_local_irq_restore+0x128/0x230\n   arch_local_irq_enable+0x1c/0x30\n   cpuidle_enter_state+0x134/0x5cc\n   cpuidle_enter+0x6c/0xb0\n   call_cpuidle+0x7c/0x100\n   do_idle+0x394/0x410\n   cpu_startup_entry+0x60/0x70\n   start_secondary+0x3fc/0x410\n   start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: PPC: Book3S HV: Prevenir UAF en kvm_spapr_tce_attach_iommu_group() Al inform\u00f3 un posible use after free (UAF) en kvm_spapr_tce_attach_iommu_group(). Busca `stt` en tablefd, pero luego contin\u00faa us\u00e1ndolo despu\u00e9s de realizar fdput() en el fd devuelto. Despu\u00e9s de fdput(), otro hilo puede cerrar el tablefd. El cierre llama a kvm_spapr_tce_release() y luego a release_spapr_tce_table() (a trav\u00e9s de call_rcu()) que libera `stt`. Aunque hay llamadas a rcu_read_lock() en kvm_spapr_tce_attach_iommu_group(), no son suficientes para evitar la UAF, porque `stt` se usa fuera de las regiones bloqueadas. Con un retraso artificial despu\u00e9s de fdput() y un programa de espacio de usuario que desencadena la ejecuci\u00f3n, KASAN detecta la UAF: ERROR: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Lectura de tama\u00f1o 4 en direcci\u00f3n c000200027552c30 por tarea kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Nombre de hardware: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35 -g1851b2a06 Seguimiento de llamadas de PowerNV: dump_stack_lvl+0xb4/0x108 (no confiable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Liberado por la tarea 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [rcu_core+0x568/0 x16a0 handle_softirqs+0x23c /0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x 30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394 /0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Solucionarlo retrasando fdput() hasta que `stt` ya no est\u00e9 en uso, que es efectivamente toda la funci\u00f3n. Para mantener el parche m\u00ednimo, agregue una llamada a fdput() en cada una de las rutas de retorno existentes. El trabajo futuro puede convertir la funci\u00f3n a limpieza de estilo goto o __cleanup. Con la soluci\u00f3n implementada, el caso de prueba ya no activa la UAF."
    }
  ],
  "id": "CVE-2024-41070",
  "lastModified": "2024-11-21T09:32:11.070",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-29T15:15:14.787",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.