{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-35804", "ASSIGNER": "cve@kernel.org", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Linux", "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "<", "version_name": "d97c0667c1e6", "version_value": "a9bd6bb6f02b" }, { "version_affected": "<", "version_name": "1c2361f667f3", "version_value": "726374dde5d6" }, { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "version": "5.19", "status": "affected" }, { "version": "0", "lessThan": "5.19", "status": "unaffected", "versionType": "semver" }, { "version": "5.15.154", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.1.84", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.6.24", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.7.12", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver" }, { "version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ], "defaultStatus": "affected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66" }, { "url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06" }, { "url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551" }, { "url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71" }, { "url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902", "refsource": "MISC", "name": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902" } ] }, "generator": { "engine": "bippy-9e1c9544281a" } }