CVE-2024-36936
efi/unaccepted: touch soft lockup during memory accept
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
efi/unaccepted: touch soft lockup during memory accept
Commit 50e782a86c98 ("efi/unaccepted: Fix soft lockups caused by
parallel memory acceptance") has released the spinlock so other CPUs can
do memory acceptance in parallel and not triggers softlockup on other
CPUs.
However the softlock up was intermittent shown up if the memory of the
TD guest is large, and the timeout of softlockup is set to 1 second:
RIP: 0010:_raw_spin_unlock_irqrestore
Call Trace:
? __hrtimer_run_queues
<IRQ>
? hrtimer_interrupt
? watchdog_timer_fn
? __sysvec_apic_timer_interrupt
? __pfx_watchdog_timer_fn
? sysvec_apic_timer_interrupt
</IRQ>
? __hrtimer_run_queues
<TASK>
? hrtimer_interrupt
? asm_sysvec_apic_timer_interrupt
? _raw_spin_unlock_irqrestore
? __sysvec_apic_timer_interrupt
? sysvec_apic_timer_interrupt
accept_memory
try_to_accept_memory
do_huge_pmd_anonymous_page
get_page_from_freelist
__handle_mm_fault
__alloc_pages
__folio_alloc
? __tdx_hypercall
handle_mm_fault
vma_alloc_folio
do_user_addr_fault
do_huge_pmd_anonymous_page
exc_page_fault
? __do_huge_pmd_anonymous_page
asm_exc_page_fault
__handle_mm_fault
When the local irq is enabled at the end of accept_memory(), the
softlockup detects that the watchdog on single CPU has not been fed for
a while. That is to say, even other CPUs will not be blocked by
spinlock, the current CPU might be stunk with local irq disabled for a
while, which hurts not only nmi watchdog but also softlockup.
Chao Gao pointed out that the memory accept could be time costly and
there was similar report before. Thus to avoid any softlocup detection
during this stage, give the softlockup a flag to skip the timeout check
at the end of accept_memory(), by invoking touch_softlockup_watchdog().
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: efi/unaccepted: toque el bloqueo suave durante la aceptación de la memoria. El commit 50e782a86c98 ("efi/unaccepted: solucione los bloqueos suaves causados por la aceptación de la memoria paralela") ha liberado el bloqueo de giro para que otras CPU puedan usar la memoria. aceptación en paralelo y no activa el bloqueo suave en otras CPU. Sin embargo, el bloqueo suave se mostró de forma intermitente si la memoria del TD invitado es grande y el tiempo de espera del bloqueo suave se establece en 1 segundo: RIP: 0010:_raw_spin_unlock_irqrestore Seguimiento de llamadas:? __hrtimer_run_queues ? hrtimer_interrupt? watchdog_timer_fn? __sysvec_apic_timer_interrupt? __pfx_watchdog_timer_fn? sysvec_apic_timer_interrupt ? __hrtimer_run_queues ? hrtimer_interrupt? asm_sysvec_apic_timer_interrupt? _raw_spin_unlock_irqrestore? __sysvec_apic_timer_interrupt? sysvec_apic_timer_interrupt aceptar_memoria try_to_accept_memory do_huge_pmd_anonymous_page get_page_from_freelist __handle_mm_fault __alloc_pages __folio_alloc? __tdx_hypercall handle_mm_fault vma_alloc_folio do_user_addr_fault do_huge_pmd_anonymous_page exc_page_fault? __do_huge_pmd_anonymous_page asm_exc_page_fault __handle_mm_fault Cuando el irq local está habilitado al final de Accept_memory(), el bloqueo suave detecta que el mecanismo de vigilancia en una sola CPU no ha sido alimentado por un tiempo. Es decir, incluso otras CPU no serán bloqueadas por spinlock, la CPU actual podría apestar con el irq local deshabilitado por un tiempo, lo que perjudica no solo al nmi watchdog sino también al softlockup. Chao Gao señaló que la aceptación de la memoria podría llevar mucho tiempo y hubo un informe similar antes. Por lo tanto, para evitar cualquier detección de softlocup durante esta etapa, proporcione al softlockup una bandera para omitir la verificación del tiempo de espera al final de Accept_memory(), invocando touch_softlockup_watchdog().
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-30 CVE Reserved
- 2024-05-30 CVE Published
- 2024-10-11 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/50e782a86c980d4f8292ef82ed8139282ca07a98 | Vuln. Introduced | |
https://git.kernel.org/stable/c/b583bfcc5a36dbd1db1984dbfcfd23ba64d23604 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-36936 | 2024-11-12 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2296278 | 2024-11-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.6.55 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.55" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.8.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8.10" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.5.9 Search vendor "Linux" for product "Linux Kernel" and version "6.5.9" | en |
Affected
|