CVE-2024-35791

KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before
dropping kvm->lock to fix use-after-free issues where region and/or its
array of pages could be freed by a different task, e.g. if userspace has
__unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully
resolve the bug, as region->pages is also dynamically allocated. I.e. the
region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire
flow is a rare slow path, and the manual flush is only needed on CPUs that
lack coherency for encrypted memory.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: SVM: Vaciar páginas bajo kvm->lock para arreglar UAF en svm_register_enc_region() Realice el vaciado de caché de las páginas convertidas en svm_register_enc_region() antes de eliminar kvm->lock para arreglar el uso -Problemas posteriores a la liberación en los que la región y/o su conjunto de páginas podrían liberarse mediante una tarea diferente, por ejemplo, si el espacio de usuario ya tiene __unregister_enc_region_locked() en cola para la región. Tenga en cuenta que la alternativa "obvia" de usar variables locales no resuelve completamente el error, ya que región->páginas también se asigna dinámicamente. Es decir, la estructura de la región en sí estaría bien, pero se podrían liberar regiones->páginas. Vaciar varias páginas bajo kvm->lock es desafortunado, pero todo el flujo es un camino lento poco común, y el vaciado manual solo es necesario en CPU que carecen de coherencia para la memoria cifrada.

A security vulnerability was identified in the Linux kernel's Kernel-based Virtual Machine subsystem (KVM), specifically affecting the Secure Virtual Machine (SVM) feature used on AMD processors. The issue arises from a use-after-free condition in the svm_register_enc_region() function, which can lead to system instability or potential exploitation.

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory.

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. It was discovered that the ATA over Ethernet driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-17 CVE Published
2025-05-04 CVE Updated
2025-06-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/4f627ecde7329e476a077bb0590db8f27bb8f912	Vuln. Introduced
https://git.kernel.org/stable/c/19a23da53932bc8011220bd8c410cb76012de004	Vuln. Introduced
https://git.kernel.org/stable/c/f1ecde00ce1694597f923f0d25f7a797c5243d99	Vuln. Introduced
https://git.kernel.org/stable/c/848bcb0a1d96f67d075465667d3a1ad4af56311e	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d	2024-04-13
https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7	2024-04-10
https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865	2024-04-03
https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4	2024-04-03
https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a	2024-04-03
https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807	2024-02-23

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35791	2024-09-11
https://bugzilla.redhat.com/show_bug.cgi?id=2281052	2024-09-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.15 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.15 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.176 Search vendor "Linux" for product "Linux Kernel" and version "4.19.176"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.98 Search vendor "Linux" for product "Linux Kernel" and version "5.4.98"		en		Affected