ghsa-24c8-3jp4-h926
Vulnerability from github
Published
2024-11-05 18:32
Modified
2024-11-08 21:33
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Unregister redistributor for failed vCPU creation

Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM:

BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758

CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM.

It is important to consider the context of commit that introduced this bug by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That change correctly sought to avoid an srcu v. config_lock inversion by breaking up the vCPU teardown into two parts, one guarded by the config_lock.

Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe because failed vCPUs are torn down outside of the config_lock.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-50114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T18:15:14Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unregister redistributor for failed vCPU creation\n\nAlex reports that syzkaller has managed to trigger a use-after-free when\ntearing down a VM:\n\n  BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n  Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758\n\n  CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317\n   show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324\n   __dump_stack lib/dump_stack.c:93 [inline]\n   dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119\n   print_report+0x144/0x7a4 mm/kasan/report.c:377\n   kasan_report+0xcc/0x128 mm/kasan/report.c:601\n   __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n   kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n   kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409\n   __fput+0x198/0x71c fs/file_table.c:422\n   ____fput+0x20/0x30 fs/file_table.c:450\n   task_work_run+0x1cc/0x23c kernel/task_work.c:228\n   do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50\n   el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169\n   el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730\n   el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nUpon closer inspection, it appears that we do not properly tear down the\nMMIO registration for a vCPU that fails creation late in the game, e.g.\na vCPU w/ the same ID already exists in the VM.\n\nIt is important to consider the context of commit that introduced this bug\nby moving the unregistration out of __kvm_vgic_vcpu_destroy(). That\nchange correctly sought to avoid an srcu v. config_lock inversion by\nbreaking up the vCPU teardown into two parts, one guarded by the\nconfig_lock.\n\nFix the use-after-free while avoiding lock inversion by adding a\nspecial-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe\nbecause failed vCPUs are torn down outside of the config_lock.",
  "id": "GHSA-24c8-3jp4-h926",
  "modified": "2024-11-08T21:33:53Z",
  "published": "2024-11-05T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50114"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bcc2890b883ba1d16b8942937750565f6e9db0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ae8f8b37610269009326f4318df161206c59843e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.