| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-31076: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline |
| |
| The absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of |
| interrupt affinity reconfiguration via procfs. Instead, the change is |
| deferred until the next instance of the interrupt being triggered on the |
| original CPU. |
| |
| When the interrupt next triggers on the original CPU, the new affinity is |
| enforced within __irq_move_irq(). A vector is allocated from the new CPU, |
| but the old vector on the original CPU remains and is not immediately |
| reclaimed. Instead, apicd->move_in_progress is flagged, and the reclaiming |
| process is delayed until the next trigger of the interrupt on the new CPU. |
| |
| Upon the subsequent triggering of the interrupt on the new CPU, |
| irq_complete_move() adds a task to the old CPU's vector_cleanup list if it |
| remains online. Subsequently, the timer on the old CPU iterates over its |
| vector_cleanup list, reclaiming old vectors. |
| |
| However, a rare scenario arises if the old CPU is outgoing before the |
| interrupt triggers again on the new CPU. |
| |
| In that case irq_force_complete_move() is not invoked on the outgoing CPU |
| to reclaim the old apicd->prev_vector because the interrupt isn't currently |
| affine to the outgoing CPU, and irq_needs_fixup() returns false. Even |
| though __vector_schedule_cleanup() is later called on the new CPU, it |
| doesn't reclaim apicd->prev_vector; instead, it simply resets both |
| apicd->move_in_progress and apicd->prev_vector to 0. |
| |
| As a result, the vector remains unreclaimed in vector_matrix, leading to a |
| CPU vector leak. |
| |
| To address this issue, move the invocation of irq_force_complete_move() |
| before the irq_needs_fixup() call to reclaim apicd->prev_vector, if the |
| interrupt is currently or used to be affine to the outgoing CPU. |
| |
| Additionally, reclaim the vector in __vector_schedule_cleanup() as well, |
| following a warning message, although theoretically it should never see |
| apicd->move_in_progress with apicd->prev_cpu pointing to an offline CPU. |
| |
| The Linux kernel CVE team has assigned CVE-2024-31076 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 4.19.316 with commit a40209d355afe4ed6d533507838c9e5cd70a76d8 |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 5.4.278 with commit f5f4675960609d8c5ee95f027fbf6ce380f98372 |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 5.10.219 with commit 6752dfcfff3ac3e16625ebd3f0ad9630900e7e76 |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 5.15.161 with commit 9eeda3e0071a329af1eba15f4e57dc39576bb420 |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 6.1.93 with commit e9c96d01d520498b169ce734a8ad1142bef86a30 |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 6.6.33 with commit 59f86a2908380d09cdc726461c0fbb8d8579c99f |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 6.9.4 with commit ebfb16fc057a016abb46a9720a54abf0d4f6abe1 |
| Issue introduced in 4.13 with commit f0383c24b4855f6a4b5a358c7b2d2c16e0437e9b and fixed in 6.10 with commit a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-31076 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| arch/x86/kernel/apic/vector.c |
| kernel/irq/cpuhotplug.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8 |
| https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372 |
| https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76 |
| https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420 |
| https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30 |
| https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f |
| https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1 |
| https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32 |
