cve-2024-46830
Vulnerability from cvelistv5
Published
2024-09-27 12:39
Modified
2024-11-05 09:47
Severity ?
EPSS score ?
Summary
KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-29T14:12:09.375859Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-29T14:12:18.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa297c33faef",
"status": "affected",
"version": "f7e570780efc",
"versionType": "git"
},
{
"lessThan": "939375737b5a",
"status": "affected",
"version": "f7e570780efc",
"versionType": "git"
},
{
"lessThan": "ecdbe8ac86fb",
"status": "affected",
"version": "f7e570780efc",
"versionType": "git"
},
{
"lessThan": "4bcdd831d9d0",
"status": "affected",
"version": "f7e570780efc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/x86.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.110",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.51",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.10.*",
"status": "unaffected",
"version": "6.10.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.11",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS\n\nGrab kvm-\u003esrcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly\nleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX\nreads guest memory.\n\nNote, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN\nvia sync_regs(), which already holds SRCU. I.e. trying to precisely use\nkvm_vcpu_srcu_read_lock() around the problematic SMM code would cause\nproblems. Acquiring SRCU isn\u0027t all that expensive, so for simplicity,\ngrab it unconditionally for KVM_SET_VCPU_EVENTS.\n\n =============================\n WARNING: suspicious RCU usage\n 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted\n -----------------------------\n include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!\n\n other info that might help us debug this:\n\n rcu_scheduler_active = 2, debug_locks = 1\n 1 lock held by repro/1071:\n #0: ffff88811e424430 (\u0026vcpu-\u003emutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n\n stack backtrace:\n CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x7f/0x90\n lockdep_rcu_suspicious+0x13f/0x1a0\n kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\n nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]\n load_vmcs12_host_state+0x432/0xb40 [kvm_intel]\n vmx_leave_nested+0x30/0x40 [kvm_intel]\n kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]\n kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]\n ? mark_held_locks+0x49/0x70\n ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]\n ? kvm_vcpu_ioctl+0x497/0x970 [kvm]\n kvm_vcpu_ioctl+0x497/0x970 [kvm]\n ? lock_acquire+0xba/0x2d0\n ? find_held_lock+0x2b/0x80\n ? do_user_addr_fault+0x40c/0x6f0\n ? lock_release+0xb7/0x270\n __x64_sys_ioctl+0x82/0xb0\n do_syscall_64+0x6c/0x170\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7ff11eb1b539\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T09:47:27.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228"
},
{
"url": "https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e"
},
{
"url": "https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9"
},
{
"url": "https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2ee88da1"
}
],
"title": "KVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS",
"x_generator": {
"engine": "bippy-9e1c9544281a"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-46830",
"datePublished": "2024-09-27T12:39:28.396Z",
"dateReserved": "2024-09-11T15:12:18.286Z",
"dateUpdated": "2024-11-05T09:47:27.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-46830\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-09-27T13:15:15.380\",\"lastModified\":\"2024-11-21T14:52:46.250\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86: Acquire kvm-\u003esrcu when handling KVM_SET_VCPU_EVENTS\\n\\nGrab kvm-\u003esrcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly\\nleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX\\nreads guest memory.\\n\\nNote, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN\\nvia sync_regs(), which already holds SRCU. I.e. trying to precisely use\\nkvm_vcpu_srcu_read_lock() around the problematic SMM code would cause\\nproblems. Acquiring SRCU isn\u0027t all that expensive, so for simplicity,\\ngrab it unconditionally for KVM_SET_VCPU_EVENTS.\\n\\n =============================\\n WARNING: suspicious RCU usage\\n 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted\\n -----------------------------\\n include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!\\n\\n other info that might help us debug this:\\n\\n rcu_scheduler_active = 2, debug_locks = 1\\n 1 lock held by repro/1071:\\n #0: ffff88811e424430 (\u0026vcpu-\u003emutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]\\n\\n stack backtrace:\\n CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552\\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\\n Call Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x7f/0x90\\n lockdep_rcu_suspicious+0x13f/0x1a0\\n kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]\\n kvm_vcpu_read_guest+0x3e/0x90 [kvm]\\n nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]\\n load_vmcs12_host_state+0x432/0xb40 [kvm_intel]\\n vmx_leave_nested+0x30/0x40 [kvm_intel]\\n kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]\\n kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]\\n ? mark_held_locks+0x49/0x70\\n ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]\\n ? kvm_vcpu_ioctl+0x497/0x970 [kvm]\\n kvm_vcpu_ioctl+0x497/0x970 [kvm]\\n ? lock_acquire+0xba/0x2d0\\n ? find_held_lock+0x2b/0x80\\n ? do_user_addr_fault+0x40c/0x6f0\\n ? lock_release+0xb7/0x270\\n __x64_sys_ioctl+0x82/0xb0\\n do_syscall_64+0x6c/0x170\\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\\n RIP: 0033:0x7ff11eb1b539\\n \u003c/TASK\u003e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: Adquirir kvm-\u0026gt;srcu al manejar KVM_SET_VCPU_EVENTS Adquiera kvm-\u0026gt;srcu al procesar KVM_SET_VCPU_EVENTS, ya que KVM abandonar\u00e1 a la fuerza el VMX/SVM anidado si se alterna el modo SMM, y al abandonar el VMX anidado se lee la memoria del invitado. Tenga en cuenta que kvm_vcpu_ioctl_x86_set_vcpu_events() tambi\u00e9n se puede llamar desde KVM_RUN a trav\u00e9s de sync_regs(), que ya contiene SRCU. Es decir, intentar usar con precisi\u00f3n kvm_vcpu_srcu_read_lock() alrededor del c\u00f3digo SMM problem\u00e1tico causar\u00eda problemas. Adquirir SRCU no es tan caro, as\u00ed que para simplificar, t\u00f3melo incondicionalmente para KVM_SET_VCPU_EVENTS. ============================= ADVERTENCIA: uso sospechoso de RCU 6.10.0-rc7-332d2c1d713e-next-vm #552 No contaminado ----------------------------- include/linux/kvm_host.h:1027 \u00a1Uso sospechoso de rcu_dereference_check()! Otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: rcu_scheduler_active = 2, debug_locks = 1 1 bloqueo retenido por repro/1071: #0: ffff88811e424430 (\u0026amp;vcpu-\u0026gt;mutex){+.+.}-{3:3}, en: kvm_vcpu_ioctl+0x7d/0x970 [kvm] seguimiento de pila: CPU: 15 PID: 1071 Comm: repro No contaminado 6.10.0-rc7-332d2c1d713e-next-vm #552 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Seguimiento de llamadas: dump_stack_lvl+0x7f/0x90 kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? bloqueo_adquirir+0xba/0x2d0 ? encontrar_bloqueo_retenido+0x2b/0x80 ? hacer_error_direcci\u00f3n_usuario+0x40c/0x6f0 ? liberaci\u00f3n_de_bloqueo+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 hacer_llamada_al_sistema_64+0x6c/0x170 entrada_SYSCALL_64_despu\u00e9s_de_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.17\",\"versionEndExcluding\":\"6.1.110\",\"matchCriteriaId\":\"BBF34251-254C-4A5B-A072-3C3A93781706\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.51\",\"matchCriteriaId\":\"E4529134-BAC4-4776-840B-304009E181A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.10\",\"matchCriteriaId\":\"ACDEE48C-137A-4731-90D0-A675865E1BED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.10.97:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4519128A-26A9-4476-8F13-E1BBD83880BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15.19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2B600A1B-5001-4778-8D8B-3807206CC8BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.16.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FD1CB23-AA16-4EC2-920F-55BF92FFBCCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B3CE743-2126-47A3-8B7C-822B502CF119\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DEB27E7-30AA-45CC-8934-B89263EF3551\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0005AEF-856E-47EB-BFE4-90C46899394D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"39889A68-6D34-47A6-82FC-CD0BF23D6754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8383ABF-1457-401F-9B61-EE50F4C61F4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B77A9280-37E6-49AD-B559-5B23A3B1DC3D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4bcdd831d9d01e0fb64faea50732b59b2ee88da1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/939375737b5a0b1bf9b1e75129054e11bc9ca65e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ecdbe8ac86fb5538ccc623a41f88ec96c7168ab9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fa297c33faefe51e10244e8a378837fca4963228\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.