// For flags

CVE-2024-50115

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits
4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't
enforce 32-byte alignment of nCR3.

In the absolute worst case scenario, failure to ignore bits 4:0 can result
in an out-of-bounds read, e.g. if the target page is at the end of a
memslot, and the VMM isn't using guard pages.

Per the APM:

The CR3 register points to the base address of the page-directory-pointer
table. The page-directory-pointer table is aligned on a 32-byte boundary,
with the low 5 address bits 4:0 assumed to be 0.

And the SDM's much more explicit:

4:0 Ignored

Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow
that is broken.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: nSVM: Ignorar nCR3[4:0] al cargar PDPTE desde la memoria Ignorar nCR3[4:0] al cargar PDPTE desde la memoria para SVM anidado, ya que los bits 4:0 de CR3 se ignoran cuando se utiliza la paginación PAE y, por lo tanto, VMRUN no aplica la alineación de 32 bytes de nCR3. En el peor de los casos, no ignorar los bits 4:0 puede dar como resultado una lectura fuera de los límites, por ejemplo, si la página de destino está al final de un memslot y el VMM no está utilizando páginas de protección. Según el APM: El registro CR3 apunta a la dirección base de la tabla de punteros de directorio de páginas. La tabla de punteros de directorio de página está alineada en un límite de 32 bytes, y se supone que los 5 bits de dirección bajos 4:0 son 0. Y el SDM es mucho más explícito: 4:0 Ignorado. Tenga en cuenta que KVM hace esto correctamente al cargar PDPTR, es solo el flujo nSVM el que está dañado.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-10-21 CVE Reserved
  • 2024-11-05 CVE Published
  • 2024-11-05 CVE Updated
  • 2024-11-06 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.2 < 5.15.170
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 5.15.170"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.2 < 6.1.115
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 6.1.115"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.2 < 6.6.59
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 6.6.59"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.2 < 6.11.6
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 6.11.6"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 3.2 < 6.12-rc5
Search vendor "Linux" for product "Linux Kernel" and version " >= 3.2 < 6.12-rc5"
en
Affected