CVE-2024-26603

x86/fpu: Stop relying on userspace for info to fault in xsave buffer

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

x86/fpu: Stop relying on userspace for info to fault in xsave buffer

Before this change, the expected size of the user space buffer was
taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed
from user-space, so it is possible construct a sigreturn frame where:

* fx_sw->xstate_size is smaller than the size required by valid bits in
fx_sw->xfeatures.
* user-space unmaps parts of the sigrame fpu buffer so that not all of
the buffer required by xrstor is accessible.

In this case, xrstor tries to restore and accesses the unmapped area
which results in a fault. But fault_in_readable succeeds because buf +
fx_sw->xstate_size is within the still mapped area, so it goes back and
tries xrstor again. It will spin in this loop forever.

Instead, fault in the maximum size which can be touched by XRSTOR (taken
from fpstate->user_size).

[ dhansen: tweak subject / changelog ]

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: x86/fpu: dejar de depender del espacio de usuario para que la información falle en el búfer xsave Antes de este cambio, el tamaño esperado del búfer de espacio de usuario se tomaba de fx_sw->xstate_size. fx_sw->xstate_size se puede cambiar desde el espacio de usuario, por lo que es posible construir un marco sigreturn donde: * fx_sw->xstate_size es más pequeño que el tamaño requerido por los bits válidos en fx_sw->xfeatures. * el espacio de usuario desasigna partes del búfer fpu de sigrame para que no se pueda acceder a todo el búfer requerido por xrstor. En este caso, xrstor intenta restaurar y accede al área no asignada, lo que genera una falla. Pero falla_in_readable tiene éxito porque buf + fx_sw->xstate_size está dentro del área aún mapeada, por lo que regresa e intenta xrstor nuevamente. Girará en este bucle para siempre. En cambio, falla en el tamaño máximo que XRSTOR puede tocar (tomado de fpstate->user_size). [dhansen: modificar asunto/registro de cambios]

A flaw was found in the Linux kernel's x86/fpu module, which revolves around an issue with relying on user space for critical information regarding the xsave buffer. In the affected scenario, the expected size of the user space buffer is derived from user-controlled data, specifically, fx_sw->xstate_size. By manipulating this value, an attacker could construct a malicious sigreturn frame where the indicated size is smaller than required by valid bits in fx_sw->xfeatures. Furthermore, the attacker could unmap portions of the fpu buffer in the user space, rendering them inaccessible to xrstor.

This manipulation leads to a situation where xrstor repeatedly attempts to restore and access an unmapped area, causing a fault. However, the fault_in_readable function erroneously succeeds because the accessed region, buf + fx_sw->xstate_size, remains within the mapped area. Consequently, the system enters a perpetual loop as xrstor continually retries the operation.

*Credits: N/A

CVSS Scores

NISTv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-02-24 CVE Published
2024-04-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/fcb3635f5018e53024c6be3c3213737f469f74ff	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a	2024-03-01
https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996	2024-02-23
https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2	2024-02-23
https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda	2024-02-23
https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835	2024-01-30

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26603	2024-06-05
https://bugzilla.redhat.com/show_bug.cgi?id=2265833	2024-06-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 5.15.150 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.15.150"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.1.79 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.1.79"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.6.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.6.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.7.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.7.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.8"		en		Affected