cve-2024-35804
Vulnerability from cvelistv5
Published
2024-05-17 13:23
Modified
2024-11-05 09:22
Severity ?
Summary
KVM: x86: Mark target gfn of emulated atomic instruction as dirty
Impacted products
Vendor Product Version
Linux Linux Version: 5.19
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35804",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-17T17:16:37.328508Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:33:56.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:47.342Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9bd6bb6f02b",
              "status": "affected",
              "version": "d97c0667c1e6",
              "versionType": "git"
            },
            {
              "lessThan": "726374dde5d6",
              "status": "affected",
              "version": "1c2361f667f3",
              "versionType": "git"
            },
            {
              "lessThan": "9d1b22e573a3",
              "status": "affected",
              "version": "1c2361f667f3",
              "versionType": "git"
            },
            {
              "lessThan": "225d587a0735",
              "status": "affected",
              "version": "1c2361f667f3",
              "versionType": "git"
            },
            {
              "lessThan": "910c57dfa4d1",
              "status": "affected",
              "version": "1c2361f667f3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.154",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn\u0027t fault.  This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM\u0027s emulated\nCMPXCHG was converted to do a user access.  Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written.  The value written is\nguaranteed to be the same because the operation is atomic, but KVM\u0027s ABI\nis that all writes are dirty logged regardless of the value written.  And\nmore importantly, that\u0027s what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:22:39.291Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66"
        },
        {
          "url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551"
        },
        {
          "url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71"
        },
        {
          "url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902"
        }
      ],
      "title": "KVM: x86: Mark target gfn of emulated atomic instruction as dirty",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35804",
    "datePublished": "2024-05-17T13:23:12.895Z",
    "dateReserved": "2024-05-17T12:19:12.341Z",
    "dateUpdated": "2024-11-05T09:22:39.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35804\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-17T14:15:13.550\",\"lastModified\":\"2024-05-17T18:35:35.070\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\\n\\nWhen emulating an atomic access on behalf of the guest, mark the target\\ngfn dirty if the CMPXCHG by KVM is attempted and doesn\u0027t fault.  This\\nfixes a bug where KVM effectively corrupts guest memory during live\\nmigration by writing to guest memory without informing userspace that the\\npage is dirty.\\n\\nMarking the page dirty got unintentionally dropped when KVM\u0027s emulated\\nCMPXCHG was converted to do a user access.  Before that, KVM explicitly\\nmapped the guest page into kernel memory, and marked the page dirty during\\nthe unmap phase.\\n\\nMark the page dirty even if the CMPXCHG fails, as the old data is written\\nback on failure, i.e. the page is still written.  The value written is\\nguaranteed to be the same because the operation is atomic, but KVM\u0027s ABI\\nis that all writes are dirty logged regardless of the value written.  And\\nmore importantly, that\u0027s what KVM did before the buggy commit.\\n\\nHuge kudos to the folks on the Cc list (and many others), who did all the\\nactual work of triaging and debugging.\\n\\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: marcar el gfn de destino de la instrucci\u00f3n at\u00f3mica emulada como sucia Al emular un acceso at\u00f3mico en nombre del invitado, marque el gfn de destino como sucio si se intenta realizar el CMPXCHG por KVM y no falla. Esto corrige un error por el cual KVM corrompe efectivamente la memoria del invitado durante la migraci\u00f3n en vivo al escribir en la memoria del invitado sin informar al espacio de usuario que la p\u00e1gina est\u00e1 sucia. Marcar la p\u00e1gina como sucia se elimin\u00f3 involuntariamente cuando el CMPXCHG emulado de KVM se convirti\u00f3 para realizar un acceso de usuario. Antes de eso, KVM asignaba expl\u00edcitamente la p\u00e1gina invitada a la memoria del kernel y marcaba la p\u00e1gina como sucia durante la fase de desasignaci\u00f3n. Marque la p\u00e1gina como sucia incluso si CMPXCHG falla, ya que los datos antiguos se vuelven a escribir en caso de fallo, es decir, la p\u00e1gina a\u00fan est\u00e1 escrita. Se garantiza que el valor escrito ser\u00e1 el mismo porque la operaci\u00f3n es at\u00f3mica, pero la ABI de KVM es que todas las escrituras se registran de forma sucia independientemente del valor escrito. Y lo que es m\u00e1s importante, eso es lo que hizo KVM antes de la confirmaci\u00f3n del error. Felicitaciones enormes a las personas en la lista Cc (y a muchos otros), que hicieron todo el trabajo de clasificaci\u00f3n y depuraci\u00f3n. confirmaci\u00f3n base: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.