CVE-2024-38667
riscv: prevent pt_regs corruption for secondary idle threads
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
riscv: prevent pt_regs corruption for secondary idle threads
Top of the kernel thread stack should be reserved for pt_regs. However
this is not the case for the idle threads of the secondary boot harts.
Their stacks overlap with their pt_regs, so both may get corrupted.
Similar issue has been fixed for the primary hart, see c7cdd96eca28
("riscv: prevent stack corruption by reserving task_pt_regs(p) early").
However that fix was not propagated to the secondary harts. The problem
has been noticed in some CPU hotplug tests with V enabled. The function
smp_callin stored several registers on stack, corrupting top of pt_regs
structure including status field. As a result, kernel attempted to save
or restore inexistent V context.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: riscv: evita la corrupción de pt_regs para subprocesos inactivos secundarios La parte superior de la pila de subprocesos del kernel debe reservarse para pt_regs. Sin embargo, este no es el caso de los subprocesos inactivos de los corazones de arranque secundarios. Sus pilas se superponen con sus pt_regs, por lo que ambos pueden corromperse. Se ha solucionado un problema similar para el corazón principal; consulte c7cdd96eca28 ("riscv: evite la corrupción de la pila reservando task_pt_regs(p) anticipadamente"). Sin embargo, esa solución no se propagó a los corazones secundarios. El problema se ha observado en algunas pruebas de conexión en caliente de CPU con V habilitado. La función smp_callin almacenó varios registros en la pila, corrompiendo la parte superior de la estructura pt_regs, incluido el campo de estado. Como resultado, el kernel intentó guardar o restaurar el contexto V inexistente.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-06-21 CVE Reserved
- 2024-06-24 CVE Published
- 2024-06-27 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-787: Out-of-bounds Write
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/2875fe0561569f82d0e63658ccf0d11ce7da8922 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.7 < 6.1.93 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.1.93" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.7 < 6.6.33 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.6.33" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.7 < 6.9.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.9.4" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.7 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.10" | en |
Affected
| ||||||