CVE-2024-35804

KVM: x86: Mark target gfn of emulated atomic instruction as dirty

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Mark target gfn of emulated atomic instruction as dirty

When emulating an atomic access on behalf of the guest, mark the target
gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This
fixes a bug where KVM effectively corrupts guest memory during live
migration by writing to guest memory without informing userspace that the
page is dirty.

Marking the page dirty got unintentionally dropped when KVM's emulated
CMPXCHG was converted to do a user access. Before that, KVM explicitly
mapped the guest page into kernel memory, and marked the page dirty during
the unmap phase.

Mark the page dirty even if the CMPXCHG fails, as the old data is written
back on failure, i.e. the page is still written. The value written is
guaranteed to be the same because the operation is atomic, but KVM's ABI
is that all writes are dirty logged regardless of the value written. And
more importantly, that's what KVM did before the buggy commit.

Huge kudos to the folks on the Cc list (and many others), who did all the
actual work of triaging and debugging.

base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: marcar el gfn de destino de la instrucción atómica emulada como sucia Al emular un acceso atómico en nombre del invitado, marque el gfn de destino como sucio si se intenta realizar el CMPXCHG por KVM y no falla. Esto corrige un error por el cual KVM corrompe efectivamente la memoria del invitado durante la migración en vivo al escribir en la memoria del invitado sin informar al espacio de usuario que la página está sucia. Marcar la página como sucia se eliminó involuntariamente cuando el CMPXCHG emulado de KVM se convirtió para realizar un acceso de usuario. Antes de eso, KVM asignaba explícitamente la página invitada a la memoria del kernel y marcaba la página como sucia durante la fase de desasignación. Marque la página como sucia incluso si CMPXCHG falla, ya que los datos antiguos se vuelven a escribir en caso de fallo, es decir, la página aún está escrita. Se garantiza que el valor escrito será el mismo porque la operación es atómica, pero la ABI de KVM es que todas las escrituras se registran de forma sucia independientemente del valor escrito. Y lo que es más importante, eso es lo que hizo KVM antes de la confirmación del error. Felicitaciones enormes a las personas en la lista Cc (y a muchos otros), que hicieron todo el trabajo de clasificación y depuración. confirmación base: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-17 CVE Published
2024-05-18 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/d97c0667c1e61ded6639117b4b9584a9c12b7e66	Vuln. Introduced
https://git.kernel.org/stable/c/1c2361f667f3648855ceae25f1332c18413fdb9f	Vuln. Introduced
https://git.kernel.org/stable/c/b0f294103f4cf733e23d3f0c4e5fd58e42998921	Vuln. Introduced
https://git.kernel.org/stable/c/e964665cc7ca13a16992b205fce63554b9efc78b	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66	2024-04-10
https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06	2024-04-03
https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551	2024-04-03
https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71	2024-04-03
https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902	2024-02-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.58 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.58 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.19 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.19 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.19 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.19 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.19 < 6.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.17.13 Search vendor "Linux" for product "Linux Kernel" and version "5.17.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.18.2 Search vendor "Linux" for product "Linux Kernel" and version "5.18.2"		en		Affected