cve-2024-31076
Vulnerability from cvelistv5
Published
2024-06-21 10:18
Modified
2024-11-05 09:22
Severity ?
Summary
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:46:03.929Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-31076",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:09:53.896904Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:46.615Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/apic/vector.c",
            "kernel/irq/cpuhotplug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a40209d355af",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            },
            {
              "lessThan": "f5f467596060",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            },
            {
              "lessThan": "6752dfcfff3a",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            },
            {
              "lessThan": "9eeda3e0071a",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            },
            {
              "lessThan": "e9c96d01d520",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            },
            {
              "lessThan": "59f86a290838",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            },
            {
              "lessThan": "ebfb16fc057a",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            },
            {
              "lessThan": "a6c11c0a5235",
              "status": "affected",
              "version": "f0383c24b485",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/apic/vector.c",
            "kernel/irq/cpuhotplug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.316",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.278",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.219",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.161",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\n\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\ninterrupt affinity reconfiguration via procfs. Instead, the change is\ndeferred until the next instance of the interrupt being triggered on the\noriginal CPU.\n\nWhen the interrupt next triggers on the original CPU, the new affinity is\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\nbut the old vector on the original CPU remains and is not immediately\nreclaimed. Instead, apicd-\u003emove_in_progress is flagged, and the reclaiming\nprocess is delayed until the next trigger of the interrupt on the new CPU.\n\nUpon the subsequent triggering of the interrupt on the new CPU,\nirq_complete_move() adds a task to the old CPU\u0027s vector_cleanup list if it\nremains online. Subsequently, the timer on the old CPU iterates over its\nvector_cleanup list, reclaiming old vectors.\n\nHowever, a rare scenario arises if the old CPU is outgoing before the\ninterrupt triggers again on the new CPU.\n\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\nto reclaim the old apicd-\u003eprev_vector because the interrupt isn\u0027t currently\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\nthough __vector_schedule_cleanup() is later called on the new CPU, it\ndoesn\u0027t reclaim apicd-\u003eprev_vector; instead, it simply resets both\napicd-\u003emove_in_progress and apicd-\u003eprev_vector to 0.\n\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\nCPU vector leak.\n\nTo address this issue, move the invocation of irq_force_complete_move()\nbefore the irq_needs_fixup() call to reclaim apicd-\u003eprev_vector, if the\ninterrupt is currently or used to be affine to the outgoing CPU.\n\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\nfollowing a warning message, although theoretically it should never see\napicd-\u003emove_in_progress with apicd-\u003eprev_cpu pointing to an offline CPU."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:22:02.669Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372"
        },
        {
          "url": "https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76"
        },
        {
          "url": "https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30"
        },
        {
          "url": "https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32"
        }
      ],
      "title": "genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-31076",
    "datePublished": "2024-06-21T10:18:04.335Z",
    "dateReserved": "2024-06-21T10:13:16.276Z",
    "dateUpdated": "2024-11-05T09:22:02.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-31076\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-21T11:15:09.673\",\"lastModified\":\"2024-07-15T07:15:03.810\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngenirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline\\n\\nThe absence of IRQD_MOVE_PCNTXT prevents immediate effectiveness of\\ninterrupt affinity reconfiguration via procfs. Instead, the change is\\ndeferred until the next instance of the interrupt being triggered on the\\noriginal CPU.\\n\\nWhen the interrupt next triggers on the original CPU, the new affinity is\\nenforced within __irq_move_irq(). A vector is allocated from the new CPU,\\nbut the old vector on the original CPU remains and is not immediately\\nreclaimed. Instead, apicd-\u003emove_in_progress is flagged, and the reclaiming\\nprocess is delayed until the next trigger of the interrupt on the new CPU.\\n\\nUpon the subsequent triggering of the interrupt on the new CPU,\\nirq_complete_move() adds a task to the old CPU\u0027s vector_cleanup list if it\\nremains online. Subsequently, the timer on the old CPU iterates over its\\nvector_cleanup list, reclaiming old vectors.\\n\\nHowever, a rare scenario arises if the old CPU is outgoing before the\\ninterrupt triggers again on the new CPU.\\n\\nIn that case irq_force_complete_move() is not invoked on the outgoing CPU\\nto reclaim the old apicd-\u003eprev_vector because the interrupt isn\u0027t currently\\naffine to the outgoing CPU, and irq_needs_fixup() returns false. Even\\nthough __vector_schedule_cleanup() is later called on the new CPU, it\\ndoesn\u0027t reclaim apicd-\u003eprev_vector; instead, it simply resets both\\napicd-\u003emove_in_progress and apicd-\u003eprev_vector to 0.\\n\\nAs a result, the vector remains unreclaimed in vector_matrix, leading to a\\nCPU vector leak.\\n\\nTo address this issue, move the invocation of irq_force_complete_move()\\nbefore the irq_needs_fixup() call to reclaim apicd-\u003eprev_vector, if the\\ninterrupt is currently or used to be affine to the outgoing CPU.\\n\\nAdditionally, reclaim the vector in __vector_schedule_cleanup() as well,\\nfollowing a warning message, although theoretically it should never see\\napicd-\u003emove_in_progress with apicd-\u003eprev_cpu pointing to an offline CPU.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: genirq/cpuhotplug, x86/vector: evita la fuga de vectores durante la CPU fuera de l\u00ednea. La ausencia de IRQD_MOVE_PCNTXT impide la efectividad inmediata de la reconfiguraci\u00f3n de la afinidad de interrupci\u00f3n a trav\u00e9s de procfs. En cambio, el cambio se difiere hasta la siguiente instancia de interrupci\u00f3n que se activa en la CPU original. La siguiente vez que se activa la interrupci\u00f3n en la CPU original, la nueva afinidad se aplica dentro de __irq_move_irq(). Se asigna un vector desde la nueva CPU, pero el vector antiguo en la CPU original permanece y no se recupera inmediatamente. En su lugar, se marca apicd-\u0026gt;move_in_progress y el proceso de recuperaci\u00f3n se retrasa hasta el siguiente desencadenante de la interrupci\u00f3n en la nueva CPU. Tras la activaci\u00f3n posterior de la interrupci\u00f3n en la nueva CPU, irq_complete_move() agrega una tarea a la lista vector_cleanup de la CPU anterior si permanece en l\u00ednea. Posteriormente, el temporizador de la CPU antigua itera sobre su lista vector_cleanup, recuperando vectores antiguos. Sin embargo, surge un escenario poco com\u00fan si la CPU antigua sale antes de que la interrupci\u00f3n se active nuevamente en la nueva CPU. En ese caso, irq_force_complete_move() no se invoca en la CPU saliente para recuperar el antiguo apicd-\u0026gt;prev_vector porque la interrupci\u00f3n no es actualmente af\u00edn a la CPU saliente, e irq_needs_fixup() devuelve false. Aunque m\u00e1s tarde se llama a __vector_schedule_cleanup() en la nueva CPU, no reclama apicd-\u0026gt;prev_vector; en su lugar, simplemente restablece apicd-\u0026gt;move_in_progress y apicd-\u0026gt;prev_vector a 0. Como resultado, el vector permanece sin reclamar en vector_matrix, lo que provoca una fuga de vector de CPU. Para solucionar este problema, mueva la invocaci\u00f3n de irq_force_complete_move() antes de la llamada irq_needs_fixup() para recuperar apicd-\u0026gt;prev_vector, si la interrupci\u00f3n es actualmente o sol\u00eda ser af\u00edn a la CPU saliente. Adem\u00e1s, recupere tambi\u00e9n el vector en __vector_schedule_cleanup(), despu\u00e9s de un mensaje de advertencia, aunque en teor\u00eda nunca deber\u00eda ver apicd-\u0026gt;move_in_progress con apicd-\u0026gt;prev_cpu apuntando a una CPU fuera de l\u00ednea.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/59f86a2908380d09cdc726461c0fbb8d8579c99f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6752dfcfff3ac3e16625ebd3f0ad9630900e7e76\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9eeda3e0071a329af1eba15f4e57dc39576bb420\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a40209d355afe4ed6d533507838c9e5cd70a76d8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a6c11c0a5235fb144a65e0cb2ffd360ddc1f6c32\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e9c96d01d520498b169ce734a8ad1142bef86a30\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ebfb16fc057a016abb46a9720a54abf0d4f6abe1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f5f4675960609d8c5ee95f027fbf6ce380f98372\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.