cve-2024-38610
Vulnerability from cvelistv5
Published
2024-06-19 13:56
Modified
2024-11-05 09:30
Severity ?
Summary
drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()
Impacted products
Vendor Product Version
Linux Linux Version: 5.18
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38610",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-24T18:14:59.732296Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-24T18:15:07.284Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:12:25.993Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/virt/acrn/mm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c6705aa47b5",
              "status": "affected",
              "version": "b9c43aa0b18d",
              "versionType": "git"
            },
            {
              "lessThan": "afeb0e696276",
              "status": "affected",
              "version": "8a6e85f75a83",
              "versionType": "git"
            },
            {
              "lessThan": "e873f36ec890",
              "status": "affected",
              "version": "8a6e85f75a83",
              "versionType": "git"
            },
            {
              "lessThan": "4c4ba3cf3a15",
              "status": "affected",
              "version": "8a6e85f75a83",
              "versionType": "git"
            },
            {
              "lessThan": "2c8d6e24930b",
              "status": "affected",
              "version": "8a6e85f75a83",
              "versionType": "git"
            },
            {
              "lessThan": "3d6586008f7b",
              "status": "affected",
              "version": "8a6e85f75a83",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/virt/acrn/mm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.161",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver.  It\ncompiles, that\u0027s all I know.  I\u0027ll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation.  Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We\u0027re not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let\u0027s check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We\u0027re not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let\u0027s make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap-\u003elen may span a larger area.\nLet\u0027s loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn\u0027t have worked\neither way, and rather made use access PFNs we shouldn\u0027t be accessing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:30:54.706Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a"
        },
        {
          "url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32"
        },
        {
          "url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559"
        }
      ],
      "title": "drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-38610",
    "datePublished": "2024-06-19T13:56:12.083Z",
    "dateReserved": "2024-06-18T19:36:34.942Z",
    "dateUpdated": "2024-11-05T09:30:54.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38610\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-19T14:15:20.893\",\"lastModified\":\"2024-06-20T12:43:25.663\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\\n\\nPatch series \\\"mm: follow_pte() improvements and acrn follow_pte() fixes\\\".\\n\\nPatch #1 fixes a bunch of issues I spotted in the acrn driver.  It\\ncompiles, that\u0027s all I know.  I\u0027ll appreciate some review and testing from\\nacrn folks.\\n\\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\\nmore sanity checks, and improving the documentation.  Gave it a quick test\\non x86-64 using VM_PAT that ends up using follow_pte().\\n\\n\\nThis patch (of 3):\\n\\nWe currently miss handling various cases, resulting in a dangerous\\nfollow_pte() (previously follow_pfn()) usage.\\n\\n(1) We\u0027re not checking PTE write permissions.\\n\\nMaybe we should simply always require pte_write() like we do for\\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let\u0027s check for\\nACRN_MEM_ACCESS_WRITE for now.\\n\\n(2) We\u0027re not rejecting refcounted pages.\\n\\nAs we are not using MMU notifiers, messing with refcounted pages is\\ndangerous and can result in use-after-free. Let\u0027s make sure to reject them.\\n\\n(3) We are only looking at the first PTE of a bigger range.\\n\\nWe only lookup a single PTE, but memmap-\u003elen may span a larger area.\\nLet\u0027s loop over all involved PTEs and make sure the PFN range is\\nactually contiguous. Reject everything else: it couldn\u0027t have worked\\neither way, and rather made use access PFNs we shouldn\u0027t be accessing.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/virt/acrn: corrige las comprobaciones de PFNMAP PTE en acrn_vm_ram_map() Serie de parches \\\"mm: mejoras en follow_pte() y correcciones en acrn follow_pte()\\\". El parche n.\u00ba 1 soluciona varios problemas que detect\u00e9 en el controlador acrn. Se compila, eso es todo lo que s\u00e9. Apreciar\u00e9 algunas revisiones y pruebas por parte de la gente de acrn. El parche #2+#3 mejora follow_pte(), pasa un VMA en lugar del MM, agrega m\u00e1s controles de cordura y mejora la documentaci\u00f3n. Lo prob\u00e9 r\u00e1pidamente en x86-64 usando VM_PAT y termin\u00f3 usando follow_pte(). Este parche (de 3): Actualmente no manejamos varios casos, lo que resulta en un uso peligroso de follow_pte() (anteriormente follow_pfn()). (1) No estamos verificando los permisos de escritura de PTE. \u00bfQuiz\u00e1s simplemente deber\u00edamos requerir siempre pte_write() como lo hacemos para pin_user_pages_fast(FOLL_WRITE)? Es dif\u00edcil saberlo, as\u00ed que busquemos ACRN_MEM_ACCESS_WRITE por ahora. (2) No rechazamos p\u00e1ginas recontadas. Como no utilizamos notificadores MMU, jugar con p\u00e1ginas descontadas es peligroso y puede resultar en use-after-free. Asegur\u00e9monos de rechazarlos. (3) S\u00f3lo estamos ante el primer PTE de una gama mayor. Solo buscamos una PTE, pero memmap-\u0026gt;len puede abarcar un \u00e1rea m\u00e1s grande. Recorramos todos los PTE involucrados y asegur\u00e9monos de que el rango de PFN sea realmente contiguo. Rechace todo lo dem\u00e1s: no podr\u00eda haber funcionado de ninguna manera, y m\u00e1s bien utiliz\u00f3 PFN de acceso a los que no deber\u00edamos acceder.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.