Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-cve / . / cve / published / 2024 / CVE-2024-40953.mbox
blob: 56fa8c6c9bf644163b7690c6b8bb8a947e7b7e3e [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-40953: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the
loads and stores are atomic. In the extremely unlikely scenario the
compiler tears the stores, it's theoretically possible for KVM to attempt
to get a vCPU using an out-of-bounds index, e.g. if the write is split
into multiple 8-bit stores, and is paired with a 32-bit load on a VM with
257 vCPUs:
CPU0 CPU1
last_boosted_vcpu = 0xff;
(last_boosted_vcpu = 0x100)
last_boosted_vcpu[15:8] = 0x01;
i = (last_boosted_vcpu = 0x1ff)
last_boosted_vcpu[7:0] = 0x00;
vcpu = kvm->vcpu_array[0x1ff];
As detected by KCSAN:
BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]
write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:
kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm
handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
__x64_sys_ioctl (fs/ioctl.c:890)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:
kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm
handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
__x64_sys_ioctl (fs/ioctl.c:890)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
value changed: 0x00000012 -> 0x00000000
The Linux kernel CVE team has assigned CVE-2024-40953 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 4.19.323 with commit 11a772d5376aa6d3e2e69b5b5c585f79b60c0e17
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 5.4.285 with commit 4c141136a28421b78f34969b25a4fa32e06e2180
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 5.10.228 with commit 71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 5.15.169 with commit 82bd728a06e55f5b5f93d10ce67f4fe7e689853a
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 6.1.96 with commit 92c77807d938145c7c3350c944ef9f39d7f6017c
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 6.6.36 with commit a937ef951bba72f48d2402451419d725d70dba20
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 6.9.7 with commit 95c8dd79f3a14df96b3820b35b8399bd91b2be60
Issue introduced in 2.6.39 with commit 217ece6129f2d3b4fdd18d9e79be9e43d8d14a42 and fixed in 6.10 with commit 49f683b41f28918df3e51ddc0d928cb2e934ccdb
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-40953
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
virt/kvm/kvm_main.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17
https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180
https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84
https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a
https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c
https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20
https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60
https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb