cve-2024-35980
Vulnerability from cvelistv5
Published
2024-05-20 09:42
Modified
2024-11-05 09:26
Severity ?
Summary
arm64: tlb: Fix TLBI RANGE operand
Impacted products
Vendor Product Version
Linux Linux Version: 6.6
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35980",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-20T17:01:18.086941Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:21.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:49.188Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ac4ad513de4fba18b4ac0ace132777d0910e8cfa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/944db7b536baaf49d7e576af36a94f4719552b07"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e3ba51ab24fddef79fc212f9840de54db8fd1685"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/include/asm/tlbflush.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac4ad513de4f",
              "status": "affected",
              "version": "117940aa6e5f",
              "versionType": "git"
            },
            {
              "lessThan": "944db7b536ba",
              "status": "affected",
              "version": "117940aa6e5f",
              "versionType": "git"
            },
            {
              "lessThan": "e3ba51ab24fd",
              "status": "affected",
              "version": "117940aa6e5f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/include/asm/tlbflush.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.29",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: tlb: Fix TLBI RANGE operand\n\nKVM/arm64 relies on TLBI RANGE feature to flush TLBs when the dirty\npages are collected by VMM and the page table entries become write\nprotected during live migration. Unfortunately, the operand passed\nto the TLBI RANGE instruction isn\u0027t correctly sorted out due to the\ncommit 117940aa6e5f (\"KVM: arm64: Define kvm_tlb_flush_vmid_range()\").\nIt leads to crash on the destination VM after live migration because\nTLBs aren\u0027t flushed completely and some of the dirty pages are missed.\n\nFor example, I have a VM where 8GB memory is assigned, starting from\n0x40000000 (1GB). Note that the host has 4KB as the base page size.\nIn the middile of migration, kvm_tlb_flush_vmid_range() is executed\nto flush TLBs. It passes MAX_TLBI_RANGE_PAGES as the argument to\n__kvm_tlb_flush_vmid_range() and __flush_s2_tlb_range_op(). SCALE#3\nand NUM#31, corresponding to MAX_TLBI_RANGE_PAGES, isn\u0027t supported\nby __TLBI_RANGE_NUM(). In this specific case, -1 has been returned\nfrom __TLBI_RANGE_NUM() for SCALE#3/2/1/0 and rejected by the loop\nin the __flush_tlb_range_op() until the variable @scale underflows\nand becomes -9, 0xffff708000040000 is set as the operand. The operand\nis wrong since it\u0027s sorted out by __TLBI_VADDR_RANGE() according to\ninvalid @scale and @num.\n\nFix it by extending __TLBI_RANGE_NUM() to support the combination of\nSCALE#3 and NUM#31. With the changes, [-1 31] instead of [-1 30] can\nbe returned from the macro, meaning the TLBs for 0x200000 pages in the\nabove example can be flushed in one shoot with SCALE#3 and NUM#31. The\nmacro TLBI_RANGE_MASK is dropped since no one uses it any more. The\ncomments are also adjusted accordingly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:26:09.678Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac4ad513de4fba18b4ac0ace132777d0910e8cfa"
        },
        {
          "url": "https://git.kernel.org/stable/c/944db7b536baaf49d7e576af36a94f4719552b07"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3ba51ab24fddef79fc212f9840de54db8fd1685"
        }
      ],
      "title": "arm64: tlb: Fix TLBI RANGE operand",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35980",
    "datePublished": "2024-05-20T09:42:05.085Z",
    "dateReserved": "2024-05-17T13:50:33.144Z",
    "dateUpdated": "2024-11-05T09:26:09.678Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35980\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-20T10:15:12.550\",\"lastModified\":\"2024-05-20T13:00:04.957\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: tlb: Fix TLBI RANGE operand\\n\\nKVM/arm64 relies on TLBI RANGE feature to flush TLBs when the dirty\\npages are collected by VMM and the page table entries become write\\nprotected during live migration. Unfortunately, the operand passed\\nto the TLBI RANGE instruction isn\u0027t correctly sorted out due to the\\ncommit 117940aa6e5f (\\\"KVM: arm64: Define kvm_tlb_flush_vmid_range()\\\").\\nIt leads to crash on the destination VM after live migration because\\nTLBs aren\u0027t flushed completely and some of the dirty pages are missed.\\n\\nFor example, I have a VM where 8GB memory is assigned, starting from\\n0x40000000 (1GB). Note that the host has 4KB as the base page size.\\nIn the middile of migration, kvm_tlb_flush_vmid_range() is executed\\nto flush TLBs. It passes MAX_TLBI_RANGE_PAGES as the argument to\\n__kvm_tlb_flush_vmid_range() and __flush_s2_tlb_range_op(). SCALE#3\\nand NUM#31, corresponding to MAX_TLBI_RANGE_PAGES, isn\u0027t supported\\nby __TLBI_RANGE_NUM(). In this specific case, -1 has been returned\\nfrom __TLBI_RANGE_NUM() for SCALE#3/2/1/0 and rejected by the loop\\nin the __flush_tlb_range_op() until the variable @scale underflows\\nand becomes -9, 0xffff708000040000 is set as the operand. The operand\\nis wrong since it\u0027s sorted out by __TLBI_VADDR_RANGE() according to\\ninvalid @scale and @num.\\n\\nFix it by extending __TLBI_RANGE_NUM() to support the combination of\\nSCALE#3 and NUM#31. With the changes, [-1 31] instead of [-1 30] can\\nbe returned from the macro, meaning the TLBs for 0x200000 pages in the\\nabove example can be flushed in one shoot with SCALE#3 and NUM#31. The\\nmacro TLBI_RANGE_MASK is dropped since no one uses it any more. The\\ncomments are also adjusted accordingly.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: arm64: tlb: corrige el operando TLBI RANGE KVM/arm64 se basa en la funci\u00f3n TLBI RANGE para vaciar los TLB cuando VMM recopila las p\u00e1ginas sucias y las entradas de la tabla de p\u00e1ginas quedan protegidas contra escritura durante la migraci\u00f3n en vivo. . Desafortunadamente, el operando pasado a la instrucci\u00f3n TLBI RANGE no est\u00e1 ordenado correctamente debido a la confirmaci\u00f3n 117940aa6e5f (\\\"KVM: arm64: Define kvm_tlb_flush_vmid_range()\\\"). Esto provoca un bloqueo en la m\u00e1quina virtual de destino despu\u00e9s de la migraci\u00f3n en vivo porque los TLB no se vac\u00edan por completo y se omiten algunas de las p\u00e1ginas sucias. Por ejemplo, tengo una m\u00e1quina virtual a la que se asignan 8 GB de memoria, a partir de 0x40000000 (1 GB). Tenga en cuenta que el host tiene 4 KB como tama\u00f1o de p\u00e1gina base. En medio de la migraci\u00f3n, se ejecuta kvm_tlb_flush_vmid_range() para vaciar los TLB. Pasa MAX_TLBI_RANGE_PAGES como argumento para __kvm_tlb_flush_vmid_range() y __flush_s2_tlb_range_op(). SCALE#3 y NUM#31, correspondientes a MAX_TLBI_RANGE_PAGES, no son compatibles con __TLBI_RANGE_NUM(). En este caso espec\u00edfico, -1 ha sido devuelto por __TLBI_RANGE_NUM() para SCALE#3/2/1/0 y rechazado por el bucle en __flush_tlb_range_op() hasta que la variable @scale se desborda por debajo y se convierte en -9, 0xffff708000040000 se establece como el operando. El operando es incorrecto ya que __TLBI_VADDR_RANGE() lo ordena seg\u00fan @scale y @num no v\u00e1lidos. Solucionelo extendiendo __TLBI_RANGE_NUM() para admitir la combinaci\u00f3n de SCALE#3 y NUM#31. Con los cambios, [-1 31] en lugar de [-1 30] se puede devolver desde la macro, lo que significa que los TLB para p\u00e1ginas 0x200000 en el ejemplo anterior se pueden vaciar de una vez con ESCALA#3 y NUM#31. La macro TLBI_RANGE_MASK se elimina porque ya nadie la usa. Los comentarios tambi\u00e9n se adaptan en consecuencia.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/944db7b536baaf49d7e576af36a94f4719552b07\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ac4ad513de4fba18b4ac0ace132777d0910e8cfa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e3ba51ab24fddef79fc212f9840de54db8fd1685\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.