cve/published/2024/CVE-2024-35804.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35804: KVM: x86: Mark target gfn of emulated atomic instruction as dirty

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: x86: Mark target gfn of emulated atomic instruction as dirty

 When emulating an atomic access on behalf of the guest, mark the target
 gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault.  This
 fixes a bug where KVM effectively corrupts guest memory during live
 migration by writing to guest memory without informing userspace that the
 page is dirty.

 Marking the page dirty got unintentionally dropped when KVM's emulated
 CMPXCHG was converted to do a user access.  Before that, KVM explicitly
 mapped the guest page into kernel memory, and marked the page dirty during
 the unmap phase.

 Mark the page dirty even if the CMPXCHG fails, as the old data is written
 back on failure, i.e. the page is still written.  The value written is
 guaranteed to be the same because the operation is atomic, but KVM's ABI
 is that all writes are dirty logged regardless of the value written.  And
 more importantly, that's what KVM did before the buggy commit.

 Huge kudos to the folks on the Cc list (and many others), who did all the
 actual work of triaging and debugging.

 base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64

 The Linux kernel CVE team has assigned CVE-2024-35804 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.58 with commit d97c0667c1e61ded6639117b4b9584a9c12b7e66 and fixed in 5.15.154 with commit a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66
 	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.1.84 with commit 726374dde5d608b15b9756bd52b6fc283fda7a06
 	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.6.24 with commit 9d1b22e573a3789ed1f32033ee709106993ba551
 	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.7.12 with commit 225d587a073584946c05c9b7651d637bd45c0c71
 	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.8 with commit 910c57dfa4d113aae6571c2a8b9ae8c430975902
 	Issue introduced in 5.17.13 with commit b0f294103f4cf733e23d3f0c4e5fd58e42998921
 	Issue introduced in 5.18.2 with commit e964665cc7ca13a16992b205fce63554b9efc78b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35804
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/x86.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66
 	https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06
 	https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551
 	https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71
 	https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35804: KVM: x86: Mark target gfn of emulated atomic instruction as dirty

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: x86: Mark target gfn of emulated atomic instruction as dirty

	When emulating an atomic access on behalf of the guest, mark the target
	gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This
	fixes a bug where KVM effectively corrupts guest memory during live
	migration by writing to guest memory without informing userspace that the
	page is dirty.

	Marking the page dirty got unintentionally dropped when KVM's emulated
	CMPXCHG was converted to do a user access. Before that, KVM explicitly
	mapped the guest page into kernel memory, and marked the page dirty during
	the unmap phase.

	Mark the page dirty even if the CMPXCHG fails, as the old data is written
	back on failure, i.e. the page is still written. The value written is
	guaranteed to be the same because the operation is atomic, but KVM's ABI
	is that all writes are dirty logged regardless of the value written. And
	more importantly, that's what KVM did before the buggy commit.

	Huge kudos to the folks on the Cc list (and many others), who did all the
	actual work of triaging and debugging.

	base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64

	The Linux kernel CVE team has assigned CVE-2024-35804 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.58 with commit d97c0667c1e61ded6639117b4b9584a9c12b7e66 and fixed in 5.15.154 with commit a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66
	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.1.84 with commit 726374dde5d608b15b9756bd52b6fc283fda7a06
	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.6.24 with commit 9d1b22e573a3789ed1f32033ee709106993ba551
	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.7.12 with commit 225d587a073584946c05c9b7651d637bd45c0c71
	Issue introduced in 5.19 with commit 1c2361f667f3648855ceae25f1332c18413fdb9f and fixed in 6.8 with commit 910c57dfa4d113aae6571c2a8b9ae8c430975902
	Issue introduced in 5.17.13 with commit b0f294103f4cf733e23d3f0c4e5fd58e42998921
	Issue introduced in 5.18.2 with commit e964665cc7ca13a16992b205fce63554b9efc78b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35804
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/x86.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66
	https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06
	https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551
	https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71
	https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902