CVE-2024-35980

arm64: tlb: Fix TLBI RANGE operand

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

arm64: tlb: Fix TLBI RANGE operand

KVM/arm64 relies on TLBI RANGE feature to flush TLBs when the dirty
pages are collected by VMM and the page table entries become write
protected during live migration. Unfortunately, the operand passed
to the TLBI RANGE instruction isn't correctly sorted out due to the
commit 117940aa6e5f ("KVM: arm64: Define kvm_tlb_flush_vmid_range()").
It leads to crash on the destination VM after live migration because
TLBs aren't flushed completely and some of the dirty pages are missed.

For example, I have a VM where 8GB memory is assigned, starting from
0x40000000 (1GB). Note that the host has 4KB as the base page size.
In the middile of migration, kvm_tlb_flush_vmid_range() is executed
to flush TLBs. It passes MAX_TLBI_RANGE_PAGES as the argument to
__kvm_tlb_flush_vmid_range() and __flush_s2_tlb_range_op(). SCALE#3
and NUM#31, corresponding to MAX_TLBI_RANGE_PAGES, isn't supported
by __TLBI_RANGE_NUM(). In this specific case, -1 has been returned
from __TLBI_RANGE_NUM() for SCALE#3/2/1/0 and rejected by the loop
in the __flush_tlb_range_op() until the variable @scale underflows
and becomes -9, 0xffff708000040000 is set as the operand. The operand
is wrong since it's sorted out by __TLBI_VADDR_RANGE() according to
invalid @scale and @num.

Fix it by extending __TLBI_RANGE_NUM() to support the combination of
SCALE#3 and NUM#31. With the changes, [-1 31] instead of [-1 30] can
be returned from the macro, meaning the TLBs for 0x200000 pages in the
above example can be flushed in one shoot with SCALE#3 and NUM#31. The
macro TLBI_RANGE_MASK is dropped since no one uses it any more. The
comments are also adjusted accordingly.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: arm64: tlb: corrige el operando TLBI RANGE KVM/arm64 se basa en la función TLBI RANGE para vaciar los TLB cuando VMM recopila las páginas sucias y las entradas de la tabla de páginas quedan protegidas contra escritura durante la migración en vivo. . Desafortunadamente, el operando pasado a la instrucción TLBI RANGE no está ordenado correctamente debido a la confirmación 117940aa6e5f ("KVM: arm64: Define kvm_tlb_flush_vmid_range()"). Esto provoca un bloqueo en la máquina virtual de destino después de la migración en vivo porque los TLB no se vacían por completo y se omiten algunas de las páginas sucias. Por ejemplo, tengo una máquina virtual a la que se asignan 8 GB de memoria, a partir de 0x40000000 (1 GB). Tenga en cuenta que el host tiene 4 KB como tamaño de página base. En medio de la migración, se ejecuta kvm_tlb_flush_vmid_range() para vaciar los TLB. Pasa MAX_TLBI_RANGE_PAGES como argumento para __kvm_tlb_flush_vmid_range() y __flush_s2_tlb_range_op(). SCALE#3 y NUM#31, correspondientes a MAX_TLBI_RANGE_PAGES, no son compatibles con __TLBI_RANGE_NUM(). En este caso específico, -1 ha sido devuelto por __TLBI_RANGE_NUM() para SCALE#3/2/1/0 y rechazado por el bucle en __flush_tlb_range_op() hasta que la variable @scale se desborda por debajo y se convierte en -9, 0xffff708000040000 se establece como el operando. El operando es incorrecto ya que __TLBI_VADDR_RANGE() lo ordena según @scale y @num no válidos. Solucionelo extendiendo __TLBI_RANGE_NUM() para admitir la combinación de SCALE#3 y NUM#31. Con los cambios, [-1 31] en lugar de [-1 30] se puede devolver desde la macro, lo que significa que los TLB para páginas 0x200000 en el ejemplo anterior se pueden vaciar de una vez con ESCALA#3 y NUM#31. La macro TLBI_RANGE_MASK se elimina porque ya nadie la usa. Los comentarios también se adaptan en consecuencia.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-20 CVE Published
2024-05-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/117940aa6e5f8308f1529e1313660980f1dae771	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ac4ad513de4fba18b4ac0ace132777d0910e8cfa	2024-04-27
https://git.kernel.org/stable/c/944db7b536baaf49d7e576af36a94f4719552b07	2024-04-17
https://git.kernel.org/stable/c/e3ba51ab24fddef79fc212f9840de54db8fd1685	2024-04-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.29"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.8.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.9"		en		Affected