ghsa-xfvp-h462-p6q2
Vulnerability from github
Published
2024-02-23 15:30
Modified
2024-06-25 21:31
Severity
7.8 (High) - CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache

There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes.

Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-26598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-23T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache\n\nThere is a potential UAF scenario in the case of an LPI translation\ncache hit racing with an operation that invalidates the cache, such\nas a DISCARD ITS command. The root of the problem is that\nvgic_its_check_cache() does not elevate the refcount on the vgic_irq\nbefore dropping the lock that serializes refcount changes.\n\nHave vgic_its_check_cache() raise the refcount on the returned vgic_irq\nand add the corresponding decrement after queueing the interrupt.",
  "id": "GHSA-xfvp-h462-p6q2",
  "modified": "2024-06-25T21:31:11Z",
  "published": "2024-02-23T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26598"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.