In the Linux kernel, the following vulnerability has been resolved:
drivers/virt/acrn: fix PFNMAP PTE checks in acrnvmram_map()
Patch series "mm: followpte() improvements and acrn followpte() fixes".
Patch #1 fixes a bunch of issues I spotted in the acrn driver. It compiles, that's all I know. I'll appreciate some review and testing from acrn folks.
Patch #2+#3 improve followpte(), passing a VMA instead of the MM, adding more sanity checks, and improving the documentation. Gave it a quick test on x86-64 using VMPAT that ends up using follow_pte().
This patch (of 3):
We currently miss handling various cases, resulting in a dangerous followpte() (previously followpfn()) usage.
(1) We're not checking PTE write permissions.
Maybe we should simply always require ptewrite() like we do for pinuserpagesfast(FOLLWRITE)? Hard to tell, so let's check for ACRNMEMACCESSWRITE for now.
(2) We're not rejecting refcounted pages.
As we are not using MMU notifiers, messing with refcounted pages is dangerous and can result in use-after-free. Let's make sure to reject them.
(3) We are only looking at the first PTE of a bigger range.
We only lookup a single PTE, but memmap->len may span a larger area. Let's loop over all involved PTEs and make sure the PFN range is actually contiguous. Reject everything else: it couldn't have worked either way, and rather made use access PFNs we shouldn't be accessing.
{ "vanir_signatures": [ { "digest": { "length": 3561.0, "function_hash": "308704120726819758223857203840705079997" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@afeb0e69627695f759fc73c39c1640dbf8649b32", "signature_type": "Function", "target": { "function": "acrn_vm_ram_map", "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-004cbc7b" }, { "digest": { "length": 3561.0, "function_hash": "75054699612292170300780315233676199799" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3d6586008f7b638f91f3332602592caa8b00b559", "signature_type": "Function", "target": { "function": "acrn_vm_ram_map", "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-024bb46a" }, { "digest": { "line_hashes": [ "99136586739796987083830694579709811714", "117489076832033566844780926084243424033", "192978789015082574437042478085532106140", "248385429711294242905589600292801302288", "181204122301979762963451070209929894655", "142304166443918873649125071728641804741", "260368548778197353813992897427432400327", "38258677145135975771972813651031186110", "151732014597934939241407421876834599344", "37790380521605218948280699852715435134", "186439830622972232962919134381925981106", "147235308791590910648648711150660480451", "264918696092295656159978270620160276666", "233112560645214325754438567694499393108", "238719438622392260194476536869973027543", "182725482013353090952010022856554570326", "146046939434228987071942973301159528478", "86185549944701623110991600212602006233", "240284000760276736257136761873837249959", "225599292879736699982783319974782477953", "10219694723616463464005928477617789553", "203902330267366147083688521233423368031", "280315625254918624493638062381429810789", "45333512213807731759917871295079768185", "249673829651323866211050880517899162906", "320402068180630061871850360268903737246", "107793286685326423594852953394700111125", "309896281268491541702900393465551151874", "313071910854078101034316896572997625308", "270152791719972532564767962347502405163", "144871980910898114099763196836467160453", "335756304500164125580811505146560974022", "109860219059849290389218092383841603830", "185136552980078060662355457923314405299", "37313083446136445556538661284157836478", "67828259122711704526348069830196445651", "126188888257532348448249432700907641727", "331371893199791338951216889154064521962", "179835406892767976497667410218963080696", "68811259759532932245652215503655311463", "2942520039668227689328176138303816693", "197596115027243017549197171485776994253", "106651621672956017721537932331444739788", "170133887406568952536847211986851679731", "252228280734267311118879011564373583126", "114195099456402844625351625627952162254", "265181150870923858411169262627090629047", "57406913741616073050232941439543609428", "239769268091279502954465512238735701595", "115935592620489870028392700728856034382", "153009798260073656824742831661933050071", "4094895183316329948515827789305063858", "299708049059444482848635758830794557102", "25557388606285454178409061362572748324", "305703510968773601499431784333786345320" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5c6705aa47b5b78d7ad36fea832bb69caa5bf49a", "signature_type": "Line", "target": { "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-0d06eea7" }, { "digest": { "line_hashes": [ "99136586739796987083830694579709811714", "117489076832033566844780926084243424033", "192978789015082574437042478085532106140", "248385429711294242905589600292801302288", "181204122301979762963451070209929894655", "142304166443918873649125071728641804741", "260368548778197353813992897427432400327", "38258677145135975771972813651031186110", "151732014597934939241407421876834599344", "37790380521605218948280699852715435134", "186439830622972232962919134381925981106", "147235308791590910648648711150660480451", "264918696092295656159978270620160276666", "233112560645214325754438567694499393108", "238719438622392260194476536869973027543", "182725482013353090952010022856554570326", "146046939434228987071942973301159528478", "86185549944701623110991600212602006233", "240284000760276736257136761873837249959", "225599292879736699982783319974782477953", "10219694723616463464005928477617789553", "203902330267366147083688521233423368031", "280315625254918624493638062381429810789", "45333512213807731759917871295079768185", "249673829651323866211050880517899162906", "320402068180630061871850360268903737246", "107793286685326423594852953394700111125", "309896281268491541702900393465551151874", "313071910854078101034316896572997625308", "270152791719972532564767962347502405163", "144871980910898114099763196836467160453", "335756304500164125580811505146560974022", "109860219059849290389218092383841603830", "185136552980078060662355457923314405299", "37313083446136445556538661284157836478", "67828259122711704526348069830196445651", "126188888257532348448249432700907641727", "331371893199791338951216889154064521962", "179835406892767976497667410218963080696", "68811259759532932245652215503655311463", "2942520039668227689328176138303816693", "197596115027243017549197171485776994253", "106651621672956017721537932331444739788", "170133887406568952536847211986851679731", "252228280734267311118879011564373583126", "114195099456402844625351625627952162254", "265181150870923858411169262627090629047", "57406913741616073050232941439543609428", "239769268091279502954465512238735701595", "115935592620489870028392700728856034382", "153009798260073656824742831661933050071", "4094895183316329948515827789305063858", "299708049059444482848635758830794557102", "25557388606285454178409061362572748324", "305703510968773601499431784333786345320" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e873f36ec890bece26ecce850e969917bceebbb6", "signature_type": "Line", "target": { "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-24a41130" }, { "digest": { "line_hashes": [ "99136586739796987083830694579709811714", "117489076832033566844780926084243424033", "192978789015082574437042478085532106140", "248385429711294242905589600292801302288", "181204122301979762963451070209929894655", "142304166443918873649125071728641804741", "260368548778197353813992897427432400327", "38258677145135975771972813651031186110", "151732014597934939241407421876834599344", "37790380521605218948280699852715435134", "186439830622972232962919134381925981106", "147235308791590910648648711150660480451", "264918696092295656159978270620160276666", "233112560645214325754438567694499393108", "238719438622392260194476536869973027543", "182725482013353090952010022856554570326", "146046939434228987071942973301159528478", "86185549944701623110991600212602006233", "240284000760276736257136761873837249959", "225599292879736699982783319974782477953", "10219694723616463464005928477617789553", "203902330267366147083688521233423368031", "280315625254918624493638062381429810789", "45333512213807731759917871295079768185", "249673829651323866211050880517899162906", "320402068180630061871850360268903737246", "107793286685326423594852953394700111125", "309896281268491541702900393465551151874", "313071910854078101034316896572997625308", "270152791719972532564767962347502405163", "144871980910898114099763196836467160453", "335756304500164125580811505146560974022", "109860219059849290389218092383841603830", "185136552980078060662355457923314405299", "37313083446136445556538661284157836478", "67828259122711704526348069830196445651", "126188888257532348448249432700907641727", "331371893199791338951216889154064521962", "179835406892767976497667410218963080696", "68811259759532932245652215503655311463", "2942520039668227689328176138303816693", "197596115027243017549197171485776994253", "106651621672956017721537932331444739788", "170133887406568952536847211986851679731", "252228280734267311118879011564373583126", "114195099456402844625351625627952162254", "321439529141888617752798681217464994788", "57406913741616073050232941439543609428", "239769268091279502954465512238735701595", "115935592620489870028392700728856034382", "153009798260073656824742831661933050071", "4094895183316329948515827789305063858", "299708049059444482848635758830794557102", "25557388606285454178409061362572748324", "305703510968773601499431784333786345320" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4", "signature_type": "Line", "target": { "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-6ccc1063" }, { "digest": { "length": 3561.0, "function_hash": "308704120726819758223857203840705079997" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5c6705aa47b5b78d7ad36fea832bb69caa5bf49a", "signature_type": "Function", "target": { "function": "acrn_vm_ram_map", "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-887303d5" }, { "digest": { "line_hashes": [ "99136586739796987083830694579709811714", "117489076832033566844780926084243424033", "192978789015082574437042478085532106140", "248385429711294242905589600292801302288", "181204122301979762963451070209929894655", "142304166443918873649125071728641804741", "260368548778197353813992897427432400327", "38258677145135975771972813651031186110", "151732014597934939241407421876834599344", "37790380521605218948280699852715435134", "186439830622972232962919134381925981106", "147235308791590910648648711150660480451", "264918696092295656159978270620160276666", "233112560645214325754438567694499393108", "238719438622392260194476536869973027543", "182725482013353090952010022856554570326", "146046939434228987071942973301159528478", "86185549944701623110991600212602006233", "240284000760276736257136761873837249959", "225599292879736699982783319974782477953", "10219694723616463464005928477617789553", "203902330267366147083688521233423368031", "280315625254918624493638062381429810789", "45333512213807731759917871295079768185", "249673829651323866211050880517899162906", "320402068180630061871850360268903737246", "107793286685326423594852953394700111125", "309896281268491541702900393465551151874", "313071910854078101034316896572997625308", "270152791719972532564767962347502405163", "144871980910898114099763196836467160453", "335756304500164125580811505146560974022", "109860219059849290389218092383841603830", "185136552980078060662355457923314405299", "37313083446136445556538661284157836478", "67828259122711704526348069830196445651", "126188888257532348448249432700907641727", "331371893199791338951216889154064521962", "179835406892767976497667410218963080696", "68811259759532932245652215503655311463", "2942520039668227689328176138303816693", "197596115027243017549197171485776994253", "106651621672956017721537932331444739788", "170133887406568952536847211986851679731", "252228280734267311118879011564373583126", "114195099456402844625351625627952162254", "265181150870923858411169262627090629047", "57406913741616073050232941439543609428", "239769268091279502954465512238735701595", "115935592620489870028392700728856034382", "153009798260073656824742831661933050071", "4094895183316329948515827789305063858", "299708049059444482848635758830794557102", "25557388606285454178409061362572748324", "305703510968773601499431784333786345320" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@afeb0e69627695f759fc73c39c1640dbf8649b32", "signature_type": "Line", "target": { "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-ae61750c" }, { "digest": { "line_hashes": [ "99136586739796987083830694579709811714", "117489076832033566844780926084243424033", "192978789015082574437042478085532106140", "248385429711294242905589600292801302288", "181204122301979762963451070209929894655", "142304166443918873649125071728641804741", "260368548778197353813992897427432400327", "38258677145135975771972813651031186110", "151732014597934939241407421876834599344", "37790380521605218948280699852715435134", "186439830622972232962919134381925981106", "147235308791590910648648711150660480451", "264918696092295656159978270620160276666", "233112560645214325754438567694499393108", "238719438622392260194476536869973027543", "182725482013353090952010022856554570326", "146046939434228987071942973301159528478", "86185549944701623110991600212602006233", "240284000760276736257136761873837249959", "225599292879736699982783319974782477953", "10219694723616463464005928477617789553", "203902330267366147083688521233423368031", "280315625254918624493638062381429810789", "45333512213807731759917871295079768185", "249673829651323866211050880517899162906", "320402068180630061871850360268903737246", "107793286685326423594852953394700111125", "309896281268491541702900393465551151874", "313071910854078101034316896572997625308", "270152791719972532564767962347502405163", "144871980910898114099763196836467160453", "335756304500164125580811505146560974022", "109860219059849290389218092383841603830", "185136552980078060662355457923314405299", "37313083446136445556538661284157836478", "67828259122711704526348069830196445651", "126188888257532348448249432700907641727", "331371893199791338951216889154064521962", "179835406892767976497667410218963080696", "68811259759532932245652215503655311463", "2942520039668227689328176138303816693", "197596115027243017549197171485776994253", "106651621672956017721537932331444739788", "170133887406568952536847211986851679731", "252228280734267311118879011564373583126", "114195099456402844625351625627952162254", "321439529141888617752798681217464994788", "57406913741616073050232941439543609428", "239769268091279502954465512238735701595", "115935592620489870028392700728856034382", "153009798260073656824742831661933050071", "4094895183316329948515827789305063858", "299708049059444482848635758830794557102", "25557388606285454178409061362572748324", "305703510968773601499431784333786345320" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3d6586008f7b638f91f3332602592caa8b00b559", "signature_type": "Line", "target": { "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-df7cac12" }, { "digest": { "length": 3561.0, "function_hash": "308704120726819758223857203840705079997" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e873f36ec890bece26ecce850e969917bceebbb6", "signature_type": "Function", "target": { "function": "acrn_vm_ram_map", "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-e63bfd57" }, { "digest": { "length": 3561.0, "function_hash": "75054699612292170300780315233676199799" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4", "signature_type": "Function", "target": { "function": "acrn_vm_ram_map", "file": "drivers/virt/acrn/mm.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2024-38610-e6785262" } ] }