cve-2024-50102
Vulnerability from cvelistv5
Published
2024-11-05 17:10
Modified
2024-12-19 09:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86: fix user address masking non-canonical speculation issue It turns out that AMD has a "Meltdown Lite(tm)" issue with non-canonical accesses in kernel space. And so using just the high bit to decide whether an access is in user space or kernel space ends up with the good old "leak speculative data" if you have the right gadget using the result: CVE-2020-12965 “Transient Execution of Non-Canonical Accesses“ Now, the kernel surrounds the access with a STAC/CLAC pair, and those instructions end up serializing execution on older Zen architectures, which closes the speculation window. But that was true only up until Zen 5, which renames the AC bit [1]. That improves performance of STAC/CLAC a lot, but also means that the speculation window is now open. Note that this affects not just the new address masking, but also the regular valid_user_address() check used by access_ok(), and the asm version of the sign bit check in the get_user() helpers. It does not affect put_user() or clear_user() variants, since there's no speculative result to be used in a gadget for those operations.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/291313693677a345d4f50aae3c68e28b469f601ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/86e6b1547b3d013bc392adf775b89318441403c2Patch
Impacted products
Vendor Product Version
Linux Linux Version: 6.4
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/uaccess_64.h",
            "arch/x86/kernel/cpu/common.c",
            "arch/x86/kernel/vmlinux.lds.S",
            "arch/x86/lib/getuser.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "291313693677a345d4f50aae3c68e28b469f601e",
              "status": "affected",
              "version": "6014bc27561f2cc63e0acc18adbc4ed810834e32",
              "versionType": "git"
            },
            {
              "lessThan": "86e6b1547b3d013bc392adf775b89318441403c2",
              "status": "affected",
              "version": "6014bc27561f2cc63e0acc18adbc4ed810834e32",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/uaccess_64.h",
            "arch/x86/kernel/cpu/common.c",
            "arch/x86/kernel/vmlinux.lds.S",
            "arch/x86/lib/getuser.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86: fix user address masking non-canonical speculation issue\n\nIt turns out that AMD has a \"Meltdown Lite(tm)\" issue with non-canonical\naccesses in kernel space.  And so using just the high bit to decide\nwhether an access is in user space or kernel space ends up with the good\nold \"leak speculative data\" if you have the right gadget using the\nresult:\n\n  CVE-2020-12965 \u201cTransient Execution of Non-Canonical Accesses\u201c\n\nNow, the kernel surrounds the access with a STAC/CLAC pair, and those\ninstructions end up serializing execution on older Zen architectures,\nwhich closes the speculation window.\n\nBut that was true only up until Zen 5, which renames the AC bit [1].\nThat improves performance of STAC/CLAC a lot, but also means that the\nspeculation window is now open.\n\nNote that this affects not just the new address masking, but also the\nregular valid_user_address() check used by access_ok(), and the asm\nversion of the sign bit check in the get_user() helpers.\n\nIt does not affect put_user() or clear_user() variants, since there\u0027s no\nspeculative result to be used in a gadget for those operations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:33:08.192Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/291313693677a345d4f50aae3c68e28b469f601e"
        },
        {
          "url": "https://git.kernel.org/stable/c/86e6b1547b3d013bc392adf775b89318441403c2"
        }
      ],
      "title": "x86: fix user address masking non-canonical speculation issue",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50102",
    "datePublished": "2024-11-05T17:10:37.986Z",
    "dateReserved": "2024-10-21T19:36:19.946Z",
    "dateUpdated": "2024-12-19T09:33:08.192Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50102\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-05T18:15:13.877\",\"lastModified\":\"2024-11-12T15:08:00.563\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86: fix user address masking non-canonical speculation issue\\n\\nIt turns out that AMD has a \\\"Meltdown Lite(tm)\\\" issue with non-canonical\\naccesses in kernel space.  And so using just the high bit to decide\\nwhether an access is in user space or kernel space ends up with the good\\nold \\\"leak speculative data\\\" if you have the right gadget using the\\nresult:\\n\\n  CVE-2020-12965 \u201cTransient Execution of Non-Canonical Accesses\u201c\\n\\nNow, the kernel surrounds the access with a STAC/CLAC pair, and those\\ninstructions end up serializing execution on older Zen architectures,\\nwhich closes the speculation window.\\n\\nBut that was true only up until Zen 5, which renames the AC bit [1].\\nThat improves performance of STAC/CLAC a lot, but also means that the\\nspeculation window is now open.\\n\\nNote that this affects not just the new address masking, but also the\\nregular valid_user_address() check used by access_ok(), and the asm\\nversion of the sign bit check in the get_user() helpers.\\n\\nIt does not affect put_user() or clear_user() variants, since there\u0027s no\\nspeculative result to be used in a gadget for those operations.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86: se soluciona el problema de especulaci\u00f3n no can\u00f3nica de enmascaramiento de direcciones de usuario Resulta que AMD tiene un problema de \\\"Meltdown Lite(tm)\\\" con los accesos no can\u00f3nicos en el espacio del kernel. Y entonces, usar solo el bit alto para decidir si un acceso est\u00e1 en el espacio del usuario o en el espacio del kernel termina con la buena y vieja \\\"filtraci\u00f3n de datos especulativos\\\" si tienes el gadget correcto usando el resultado: CVE-2020-12965 \\\"Ejecuci\u00f3n transitoria de accesos no can\u00f3nicos\\\" Ahora, el kernel rodea el acceso con un par STAC/CLAC, y esas instrucciones terminan serializando la ejecuci\u00f3n en arquitecturas Zen m\u00e1s antiguas, lo que cierra la ventana de especulaci\u00f3n. Pero eso era cierto solo hasta Zen 5, que renombra el bit AC [1]. Eso mejora mucho el rendimiento de STAC/CLAC, pero tambi\u00e9n significa que la ventana de especulaci\u00f3n ahora est\u00e1 abierta. Tenga en cuenta que esto no solo afecta al nuevo enmascaramiento de direcci\u00f3n, sino tambi\u00e9n a la comprobaci\u00f3n regular valid_user_address() utilizada por access_ok() y a la versi\u00f3n asm de la comprobaci\u00f3n del bit de signo en los ayudantes get_user(). No afecta a las variantes put_user() o clear_user(), ya que no hay ning\u00fan resultado especulativo que se pueda utilizar en un gadget para esas operaciones.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.4\",\"versionEndExcluding\":\"6.11.6\",\"matchCriteriaId\":\"DFE3B17B-8A2D-4BE4-AECF-C6853F85CDDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F717D8-3014-4F84-8086-0124B2111379\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/291313693677a345d4f50aae3c68e28b469f601e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/86e6b1547b3d013bc392adf775b89318441403c2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.