cnvd - cnvd-2025-01666

cnvd-2025-01666

Vulnerability from cnvd

Title: Linux kernel存在未明漏洞（CNVD-2025-01666）

Description:

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。

Linux kernel存在安全漏洞，该漏洞源于在x86/fred模块中，当触发“kernel IBT no ENDBR”自测试时，#CP中断后，中断上下文的WFE状态未被清除，导致CPU在恢复执行时再次引发missing-ENDBRANCH #CP，进入死循环，影响系统的正常运行和安全性。目前没有详细的漏洞细节提供。

Severity: 中

Patch Name: Linux kernel存在未明漏洞（CNVD-2025-01666）的补丁

Patch Description:

Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://git.kernel.org/stable/c/b939f108e86b76119428a6fa4e92491e09ac7867

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-56761

Impacted products

Name
Linux Kernel

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-56761",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-56761"
    }
  },
  "description": "Linux kernel\u662f\u7f8e\u56fdLinux\u57fa\u91d1\u4f1a\u7684\u5f00\u6e90\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\n\nLinux kernel\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728x86/fred\u6a21\u5757\u4e2d\uff0c\u5f53\u89e6\u53d1\u201ckernel IBT no ENDBR\u201d\u81ea\u6d4b\u8bd5\u65f6\uff0c#CP\u4e2d\u65ad\u540e\uff0c\u4e2d\u65ad\u4e0a\u4e0b\u6587\u7684WFE\u72b6\u6001\u672a\u88ab\u6e05\u9664\uff0c\u5bfc\u81f4CPU\u5728\u6062\u590d\u6267\u884c\u65f6\u518d\u6b21\u5f15\u53d1missing-ENDBRANCH #CP\uff0c\u8fdb\u5165\u6b7b\u5faa\u73af\uff0c\u5f71\u54cd\u7cfb\u7edf\u7684\u6b63\u5e38\u8fd0\u884c\u548c\u5b89\u5168\u6027\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://git.kernel.org/stable/c/b939f108e86b76119428a6fa4e92491e09ac7867",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-01666",
  "openTime": "2025-01-15",
  "patchDescription": "Linux kernel\u662f\u7f8e\u56fdLinux\u57fa\u91d1\u4f1a\u7684\u5f00\u6e90\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\nLinux kernel\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728x86/fred\u6a21\u5757\u4e2d\uff0c\u5f53\u89e6\u53d1\u201ckernel IBT no ENDBR\u201d\u81ea\u6d4b\u8bd5\u65f6\uff0c#CP\u4e2d\u65ad\u540e\uff0c\u4e2d\u65ad\u4e0a\u4e0b\u6587\u7684WFE\u72b6\u6001\u672a\u88ab\u6e05\u9664\uff0c\u5bfc\u81f4CPU\u5728\u6062\u590d\u6267\u884c\u65f6\u518d\u6b21\u5f15\u53d1missing-ENDBRANCH #CP\uff0c\u8fdb\u5165\u6b7b\u5faa\u73af\uff0c\u5f71\u54cd\u7cfb\u7edf\u7684\u6b63\u5e38\u8fd0\u884c\u548c\u5b89\u5168\u6027\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Linux kernel\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2025-01666\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Linux Kernel"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-56761",
  "serverity": "\u4e2d",
  "submitTime": "2025-01-10",
  "title": "Linux kernel\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2025-01666\uff09"
}

CVE-2024-56761 (GCVE-0-2024-56761)

Vulnerability from cvelistv5

Published

2025-01-06 16:20

Modified

2025-05-04 10:04

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/fred: Clear WFE in missing-ENDBRANCH #CPs An indirect branch instruction sets the CPU indirect branch tracker (IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted across the instruction boundary. When the decoder finds an inappropriate instruction while WFE is set ENDBR, the CPU raises a #CP fault. For the "kernel IBT no ENDBR" selftest where #CPs are deliberately triggered, the WFE state of the interrupted context needs to be cleared to let execution continue. Otherwise when the CPU resumes from the instruction that just caused the previous #CP, another missing-ENDBRANCH #CP is raised and the CPU enters a dead loop. This is not a problem with IDT because it doesn't preserve WFE and IRET doesn't set WFE. But FRED provides space on the entry stack (in an expanded CS area) to save and restore the WFE state, thus the WFE state is no longer clobbered, so software must clear it. Clear WFE to avoid dead looping in ibt_clear_fred_wfe() and the !ibt_fatal code path when execution is allowed to continue. Clobbering WFE in any other circumstance is a security-relevant bug. [ dhansen: changelog rewording ]

References

▼	URL	Tags
	https://git.kernel.org/stable/c/151447859d6fb0dcce8259f0971c6e94fb801661
	https://git.kernel.org/stable/c/b939f108e86b76119428a6fa4e92491e09ac7867
	https://git.kernel.org/stable/c/dc81e556f2a017d681251ace21bf06c126d5a192

Impacted products

Vendor

Product

Version

▼

Linux

Version: a5f6c2ace9974adf92ce65dacca8126d90adabfe
Version: a5f6c2ace9974adf92ce65dacca8126d90adabfe
Version: a5f6c2ace9974adf92ce65dacca8126d90adabfe

Linux

Version: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "151447859d6fb0dcce8259f0971c6e94fb801661",
              "status": "affected",
              "version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe",
              "versionType": "git"
            },
            {
              "lessThan": "b939f108e86b76119428a6fa4e92491e09ac7867",
              "status": "affected",
              "version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe",
              "versionType": "git"
            },
            {
              "lessThan": "dc81e556f2a017d681251ace21bf06c126d5a192",
              "status": "affected",
              "version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.70",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Clear WFE in missing-ENDBRANCH #CPs\n\nAn indirect branch instruction sets the CPU indirect branch tracker\n(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted\nacross the instruction boundary.  When the decoder finds an\ninappropriate instruction while WFE is set ENDBR, the CPU raises a #CP\nfault.\n\nFor the \"kernel IBT no ENDBR\" selftest where #CPs are deliberately\ntriggered, the WFE state of the interrupted context needs to be\ncleared to let execution continue.  Otherwise when the CPU resumes\nfrom the instruction that just caused the previous #CP, another\nmissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.\n\nThis is not a problem with IDT because it doesn\u0027t preserve WFE and\nIRET doesn\u0027t set WFE.  But FRED provides space on the entry stack\n(in an expanded CS area) to save and restore the WFE state, thus the\nWFE state is no longer clobbered, so software must clear it.\n\nClear WFE to avoid dead looping in ibt_clear_fred_wfe() and the\n!ibt_fatal code path when execution is allowed to continue.\n\nClobbering WFE in any other circumstance is a security-relevant bug.\n\n[ dhansen: changelog rewording ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:04:07.795Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/151447859d6fb0dcce8259f0971c6e94fb801661"
        },
        {
          "url": "https://git.kernel.org/stable/c/b939f108e86b76119428a6fa4e92491e09ac7867"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc81e556f2a017d681251ace21bf06c126d5a192"
        }
      ],
      "title": "x86/fred: Clear WFE in missing-ENDBRANCH #CPs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56761",
    "datePublished": "2025-01-06T16:20:41.112Z",
    "dateReserved": "2024-12-29T11:26:39.762Z",
    "dateUpdated": "2025-05-04T10:04:07.795Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted