CVE-2024-50114

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50114
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50114.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-50114
Downstream
Related
Published
2024-11-05T18:15:14Z
Modified
2024-12-11T15:15:11Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Unregister redistributor for failed vCPU creation

Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM:

BUG: KASAN: slab-use-after-free in kvmputkvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758

CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 showstack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x94/0xc0 lib/dumpstack.c:119 printreport+0x144/0x7a4 mm/kasan/report.c:377 kasanreport+0xcc/0x128 mm/kasan/report.c:601 _asanreportload8noabort+0x20/0x2c mm/kasan/reportgeneric.c:381 kvmputkvm+0x300/0xe68 virt/kvm/kvmmain.c:5769 kvmvmrelease+0x4c/0x60 virt/kvm/kvmmain.c:1409 _fput+0x198/0x71c fs/filetable.c:422 fput+0x20/0x30 fs/filetable.c:450 taskworkrun+0x1cc/0x23c kernel/taskwork.c:228 donotifyresume+0x144/0x1a0 include/linux/resumeusermode.h:50 el0svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t64synchandler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t64sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM.

It is important to consider the context of commit that introduced this bug by moving the unregistration out of _kvmvgicvcpudestroy(). That change correctly sought to avoid an srcu v. configlock inversion by breaking up the vCPU teardown into two parts, one guarded by the configlock.

Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to _kvmvgicvcpudestroy(). This is safe because failed vCPUs are torn down outside of the config_lock.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.11.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}