| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024051739-CVE-2024-35804-bd95@gregkh> Date: Fri, 17 May 2024 15:23:44 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-35804: KVM: x86: Mark target gfn of emulated atomic instruction as dirty Description =========== In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Mark target gfn of emulated atomic instruction as dirty When emulating an atomic access on behalf of the guest, mark the target gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This fixes a bug where KVM effectively corrupts guest memory during live migration by writing to guest memory without informing userspace that the page is dirty. Marking the page dirty got unintentionally dropped when KVM's emulated CMPXCHG was converted to do a user access. Before that, KVM explicitly mapped the guest page into kernel memory, and marked the page dirty during the unmap phase. Mark the page dirty even if the CMPXCHG fails, as the old data is written back on failure, i.e. the page is still written. The value written is guaranteed to be the same because the operation is atomic, but KVM's ABI is that all writes are dirty logged regardless of the value written. And more importantly, that's what KVM did before the buggy commit. Huge kudos to the folks on the Cc list (and many others), who did all the actual work of triaging and debugging. base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64 The Linux kernel CVE team has assigned CVE-2024-35804 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15.58 with commit d97c0667c1e6 and fixed in 5.15.154 with commit a9bd6bb6f02b Issue introduced in 5.19 with commit 1c2361f667f3 and fixed in 6.1.84 with commit 726374dde5d6 Issue introduced in 5.19 with commit 1c2361f667f3 and fixed in 6.6.24 with commit 9d1b22e573a3 Issue introduced in 5.19 with commit 1c2361f667f3 and fixed in 6.7.12 with commit 225d587a0735 Issue introduced in 5.19 with commit 1c2361f667f3 and fixed in 6.8 with commit 910c57dfa4d1 Issue introduced in 5.17.13 with commit b0f294103f4c Issue introduced in 5.18.2 with commit e964665cc7ca Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-35804 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/kvm/x86.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66 https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06 https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551 https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71 https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902
Powered by blists - more mailing lists