lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025021256-CVE-2024-57951-691d@gregkh>
Date: Wed, 12 Feb 2025 14:26:57 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2024-57951: hrtimers: Handle CPU state correctly on hotplug

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

hrtimers: Handle CPU state correctly on hotplug

Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway
through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to
CPUHP_ONLINE:

Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set
to 1 throughout. However, during a CPU unplug operation, the tick and the
clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online
state, for instance CFS incorrectly assumes that the hrtick is already
active, and the chance of the clockevent device to transition to oneshot
mode is also lost forever for the CPU, unless it goes back to a lower state
than CPUHP_HRTIMERS_PREPARE once.

This round-trip reveals another issue; cpu_base.online is not set to 1
after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().

Aside of that, the bulk of the per CPU state is not reset either, which
means there are dangling pointers in the worst case.

Address this by adding a corresponding startup() callback, which resets the
stale per CPU state and sets the online flag.

[ tglx: Make the new callback unconditionally available, remove the online
  	modification in the prepare() callback and clear the remaining
  	state in the starting callback instead of the prepare callback ]

The Linux kernel CVE team has assigned CVE-2024-57951 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4.264 with commit 54d0d83a53508d687fd4a225f8aa1f18559562d0 and fixed in 5.4.290 with commit 95e4f62df23f4df1ce6ef897d44b8e23c260921a
	Issue introduced in 5.10.204 with commit 7f4c89400d2997939f6971c7981cc780a219e36b and fixed in 5.10.234 with commit 14984139f1f2768883332965db566ef26db609e7
	Issue introduced in 5.15.143 with commit 6fcbcc6c8e52650749692c7613cbe71bf601670d and fixed in 5.15.177 with commit 15b453db41d36184cf0ccc21e7df624014ab6a1a
	Issue introduced in 6.1.68 with commit 75b5016ce325f1ef9c63e5398a1064cf8a7a7354 and fixed in 6.1.127 with commit 3d41dbf82e10c44e53ea602398ab002baec27e75
	Issue introduced in 6.6.7 with commit 53f408cad05bb987af860af22f4151e5a18e6ee8 and fixed in 6.6.74 with commit a5cbbea145b400e40540c34816d16d36e0374fbc
	Issue introduced in 6.7 with commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 and fixed in 6.12.11 with commit 38492f6ee883c7b1d33338bf531a62cff69b4b28
	Issue introduced in 6.7 with commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 and fixed in 6.13 with commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686
	Issue introduced in 4.19.302 with commit 9a2fc41acb69dd4e2a58d0c04346c3333c2341fc

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57951
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	include/linux/hrtimer.h
	kernel/cpu.c
	kernel/time/hrtimer.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a
	https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7
	https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a
	https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75
	https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc
	https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28
	https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ