admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
cvelist/2024/26xxx/CVE-2024-26991.json
CVE Team 2a7032e93f
"-Synchronized-Data."
2024-05-29 06:01:04 +00:00

102 lines
8.1 KiB
JSON
Raw Blame History

{
"data_version": "4.0",
"data_type": "CVE",
"data_format": "MITRE",
"CVE_data_meta": {
"ID": "CVE-2024-26991",
"ASSIGNER": "cve@kernel.org",
"STATE": "PUBLIC"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes\n\nFix KVM_SET_MEMORY_ATTRIBUTES to not overflow lpage_info array and trigger\nKASAN splat, as seen in the private_mem_conversions_test selftest.\n\nWhen memory attributes are set on a GFN range, that range will have\nspecific properties applied to the TDP. A huge page cannot be used when\nthe attributes are inconsistent, so they are disabled for those the\nspecific huge pages. For internal KVM reasons, huge pages are also not\nallowed to span adjacent memslots regardless of whether the backing memory\ncould be mapped as huge.\n\nWhat GFNs support which huge page sizes is tracked by an array of arrays\n'lpage_info' on the memslot, of \u2018kvm_lpage_info\u2019 structs. Each index of\nlpage_info contains a vmalloc allocated array of these for a specific\nsupported page size. The kvm_lpage_info denotes whether a specific huge\npage (GFN and page size) on the memslot is supported. These arrays include\nindices for unaligned head and tail huge pages.\n\nPreventing huge pages from spanning adjacent memslot is covered by\nincrementing the count in head and tail kvm_lpage_info when the memslot is\nallocated, but disallowing huge pages for memory that has mixed attributes\nhas to be done in a more complicated way. During the\nKVM_SET_MEMORY_ATTRIBUTES ioctl KVM updates lpage_info for each memslot in\nthe range that has mismatched attributes. KVM does this a memslot at a\ntime, and marks a special bit, KVM_LPAGE_MIXED_FLAG, in the kvm_lpage_info\nfor any huge page. This bit is essentially a permanently elevated count.\nSo huge pages will not be mapped for the GFN at that page size if the\ncount is elevated in either case: a huge head or tail page unaligned to\nthe memslot or if KVM_LPAGE_MIXED_FLAG is set because it has mixed\nattributes.\n\nTo determine whether a huge page has consistent attributes, the\nKVM_SET_MEMORY_ATTRIBUTES operation checks an xarray to make sure it\nconsistently has the incoming attribute. Since level - 1 huge pages are\naligned to level huge pages, it employs an optimization. As long as the\nlevel - 1 huge pages are checked first, it can just check these and assume\nthat if each level - 1 huge page contained within the level sized huge\npage is not mixed, then the level size huge page is not mixed. This\noptimization happens in the helper hugepage_has_attrs().\n\nUnfortunately, although the kvm_lpage_info array representing page size\n'level' will contain an entry for an unaligned tail page of size level,\nthe array for level - 1 will not contain an entry for each GFN at page\nsize level. The level - 1 array will only contain an index for any\nunaligned region covered by level - 1 huge page size, which can be a\nsmaller region. So this causes the optimization to overflow the level - 1\nkvm_lpage_info and perform a vmalloc out of bounds read.\n\nIn some cases of head and tail pages where an overflow could happen,\ncallers skip the operation completely as KVM_LPAGE_MIXED_FLAG is not\nrequired to prevent huge pages as discussed earlier. But for memslots that\nare smaller than the 1GB page size, it does call hugepage_has_attrs(). In\nthis case the huge page is both the head and tail page. The issue can be\nobserved simply by compiling the kernel with CONFIG_KASAN_VMALLOC and\nrunning the selftest \u201cprivate_mem_conversions_test\u201d, which produces the\noutput like the following:\n\nBUG: KASAN: vmalloc-out-of-bounds in hugepage_has_attrs+0x7e/0x110\nRead of size 4 at addr ffffc900000a3008 by task private_mem_con/169\nCall Trace:\n dump_stack_lvl\n print_report\n ? __virt_addr_valid\n ? hugepage_has_attrs\n ? hugepage_has_attrs\n kasan_report\n ? hugepage_has_attrs\n hugepage_has_attrs\n kvm_arch_post_set_memory_attributes\n kvm_vm_ioctl\n\nIt is a little ambiguous whether the unaligned head page (in the bug case\nalso the tail page) should be expected to have KVM_LPAGE_MIXED_FLAG set.\nIt is not functionally required, as the unal\n---truncated---"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"affects": {
"vendor": {
"vendor_data": [
{
"vendor_name": "Linux",
"product": {
"product_data": [
{
"product_name": "Linux",
"version": {
"version_data": [
{
"version_affected": "<",
"version_name": "90b4fe17981e",
"version_value": "048cc4a028e6"
},
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"version": "6.8",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.8",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.8.8",
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
],
"defaultStatus": "affected"
}
}
]
}
}
]
}
}
]
}
},
"references": {
"reference_data": [
{
"url": "https://git.kernel.org/stable/c/048cc4a028e635d339687ed968985d2d1669494c",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/048cc4a028e635d339687ed968985d2d1669494c"
},
{
"url": "https://git.kernel.org/stable/c/992b54bd083c5bee24ff7cc35991388ab08598c4",
"refsource": "MISC",
"name": "https://git.kernel.org/stable/c/992b54bd083c5bee24ff7cc35991388ab08598c4"
}
]
},
"generator": {
"engine": "bippy-a5840b7849dd"
}
}
Reference in New Issue View Git Blame Copy Permalink