CVE-2024-50072

x86/bugs: Use code segment selector for VERW operand

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

x86/bugs: Use code segment selector for VERW operand

Robert Gill reported below #GP in 32-bit mode when dosemu software was
executing vm86() system call:

general protection fault: 0000 [#1] PREEMPT SMP
CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1
Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010
EIP: restore_all_switch_stack+0xbe/0xcf
EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc
DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046
CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0
Call Trace:
show_regs+0x70/0x78
die_addr+0x29/0x70
exc_general_protection+0x13c/0x348
exc_bounds+0x98/0x98
handle_exception+0x14d/0x14d
exc_bounds+0x98/0x98
restore_all_switch_stack+0xbe/0xcf
exc_bounds+0x98/0x98
restore_all_switch_stack+0xbe/0xcf

This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS
are enabled. This is because segment registers with an arbitrary user value
can result in #GP when executing VERW. Intel SDM vol. 2C documents the
following behavior for VERW instruction:

#GP(0) - If a memory operand effective address is outside the CS, DS, ES,
FS, or GS segment limit.

CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user
space. Use %cs selector to reference VERW operand. This ensures VERW will
not #GP for an arbitrary user %ds.

[ mingo: Fixed the SOB chain. ]

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-10-21 CVE Reserved
2024-10-29 CVE Published
2024-11-02 EPSS Updated
2024-11-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/50f021f0b985629accf10481a6e89af8b9700583	Vuln. Introduced
https://git.kernel.org/stable/c/d54de9f2a127090f2017184e8257795b487d5312	Vuln. Introduced
https://git.kernel.org/stable/c/2e3087505ddb8ba2d3d4c81306cca11e868fcdb9	Vuln. Introduced
https://git.kernel.org/stable/c/ca13d8cd8dac25558da4ee8df4dc70e8e7f9d762	Vuln. Introduced
https://git.kernel.org/stable/c/a0e2dab44d22b913b4c228c8b52b2a104434b0b3	Vuln. Introduced
https://git.kernel.org/stable/c/51eca9f1fd047b500137d021f882d93f03280118	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/bfd1d223d80cb29a210caa1bd5e21f0816d58f02	2024-11-08
https://git.kernel.org/stable/c/ada431c6c31a2c8c37991c46089af5caa23a9c6e	2024-11-08
https://git.kernel.org/stable/c/38c5fe74f3bef98f75d16effa49836d50c9b6097	2024-11-08
https://git.kernel.org/stable/c/481b477ab63c7245715a3e57ba79eb87c2dc0d02	2024-10-22
https://git.kernel.org/stable/c/bc576fbaf82deded606e69a00efe9752136bf91d	2024-10-22
https://git.kernel.org/stable/c/e4d2102018542e3ae5e297bc6e229303abff8a0f	2024-10-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.215 < 5.10.229 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.215 < 5.10.229"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.154 < 5.15.171 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.154 < 5.15.171"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.81 < 6.1.116 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.81 < 6.1.116"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.21 < 6.6.58 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.21 < 6.6.58"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.11.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.11.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.7.9 Search vendor "Linux" for product "Linux Kernel" and version "6.7.9"		en		Affected