nvd-json-data-feeds/CVE-2024/CVE-2024-477xx/CVE-2024-47744.json

{
  "id": "CVE-2024-47744",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-10-21T13:15:04.480",
  "lastModified": "2024-10-22T15:44:40.393",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock\n\nUse a dedicated mutex to guard kvm_usage_count to fix a potential deadlock\non x86 due to a chain of locks and SRCU synchronizations.  Translating the\nbelow lockdep splat, CPU1 #6 will wait on CPU0 #1, CPU0 #8 will wait on\nCPU2 #3, and CPU2 #7 will wait on CPU1 #4 (if there's a writer, due to the\nfairness of r/w semaphores).\n\n    CPU0                     CPU1                     CPU2\n1   lock(&kvm->slots_lock);\n2                                                     lock(&vcpu->mutex);\n3                                                     lock(&kvm->srcu);\n4                            lock(cpu_hotplug_lock);\n5                            lock(kvm_lock);\n6                            lock(&kvm->slots_lock);\n7                                                     lock(cpu_hotplug_lock);\n8   sync(&kvm->srcu);\n\nNote, there are likely more potential deadlocks in KVM x86, e.g. the same\npattern of taking cpu_hotplug_lock outside of kvm_lock likely exists with\n__kvmclock_cpufreq_notifier():\n\n  cpuhp_cpufreq_online()\n  |\n  -> cpufreq_online()\n     |\n     -> cpufreq_gov_performance_limits()\n        |\n        -> __cpufreq_driver_target()\n           |\n           -> __target_index()\n              |\n              -> cpufreq_freq_transition_begin()\n                 |\n                 -> cpufreq_notify_transition()\n                    |\n                    -> ... __kvmclock_cpufreq_notifier()\n\nBut, actually triggering such deadlocks is beyond rare due to the\ncombination of dependencies and timings involved.  E.g. the cpufreq\nnotifier is only used on older CPUs without a constant TSC, mucking with\nthe NX hugepage mitigation while VMs are running is very uncommon, and\ndoing so while also onlining/offlining a CPU (necessary to generate\ncontention on cpu_hotplug_lock) would be even more unusual.\n\nThe most robust solution to the general cpu_hotplug_lock issue is likely\nto switch vm_list to be an RCU-protected list, e.g. so that x86's cpufreq\nnotifier doesn't to take kvm_lock.  For now, settle for fixing the most\nblatant deadlock, as switching to an RCU-protected list is a much more\ninvolved change, but add a comment in locking.rst to call out that care\nneeds to be taken when walking holding kvm_lock and walking vm_list.\n\n  ======================================================\n  WARNING: possible circular locking dependency detected\n  6.10.0-smp--c257535a0c9d-pip #330 Tainted: G S         O\n  ------------------------------------------------------\n  tee/35048 is trying to acquire lock:\n  ff6a80eced71e0a8 (&kvm->slots_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x179/0x1e0 [kvm]\n\n  but task is already holding lock:\n  ffffffffc07abb08 (kvm_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x14a/0x1e0 [kvm]\n\n  which lock already depends on the new lock.\n\n   the existing dependency chain (in reverse order) is:\n\n  -> #3 (kvm_lock){+.+.}-{3:3}:\n         __mutex_lock+0x6a/0xb40\n         mutex_lock_nested+0x1f/0x30\n         kvm_dev_ioctl+0x4fb/0xe50 [kvm]\n         __se_sys_ioctl+0x7b/0xd0\n         __x64_sys_ioctl+0x21/0x30\n         x64_sys_call+0x15d0/0x2e60\n         do_syscall_64+0x83/0x160\n         entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n  -> #2 (cpu_hotplug_lock){++++}-{0:0}:\n         cpus_read_lock+0x2e/0xb0\n         static_key_slow_inc+0x16/0x30\n         kvm_lapic_set_base+0x6a/0x1c0 [kvm]\n         kvm_set_apic_base+0x8f/0xe0 [kvm]\n         kvm_set_msr_common+0x9ae/0xf80 [kvm]\n         vmx_set_msr+0xa54/0xbe0 [kvm_intel]\n         __kvm_set_msr+0xb6/0x1a0 [kvm]\n         kvm_arch_vcpu_ioctl+0xeca/0x10c0 [kvm]\n         kvm_vcpu_ioctl+0x485/0x5b0 [kvm]\n         __se_sys_ioctl+0x7b/0xd0\n         __x64_sys_ioctl+0x21/0x30\n         x64_sys_call+0x15d0/0x2e60\n         do_syscall_64+0x83/0x160\n         entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n  -> #1 (&kvm->srcu){.+.+}-{0:0}:\n         __synchronize_srcu+0x44/0x1a0\n      \
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: usar mutex dedicado para proteger kvm_usage_count para evitar un bloqueo Use un mutex dedicado para proteger kvm_usage_count para reparar un posible bloqueo en x86 debido a una cadena de bloqueos y sincronizaciones SRCU. Traduciendo el siguiente splat lockdep, CPU1 #6 esperar\u00e1 a CPU0 #1, CPU0 #8 esperar\u00e1 a CPU2 #3 y CPU2 #7 esperar\u00e1 a CPU1 #4 (si hay un escritor, debido a la imparcialidad de los sem\u00e1foros de lectura/escritura). CPU0 CPU1 CPU2 1 lock(&kvm->slots_lock); 2 lock(&vcpu->mutex); 3 lock(&kvm->srcu); 4 lock(cpu_hotplug_lock); 5 lock(kvm_lock); 6 lock(&kvm->slots_lock); 7 lock(cpu_hotplug_lock); 8 sync(&kvm->srcu); Tenga en cuenta que es probable que haya m\u00e1s bloqueos potenciales en KVM x86, por ejemplo, el mismo patr\u00f3n de tomar cpu_hotplug_lock fuera de kvm_lock probablemente exista con __kvmclock_cpufreq_notifier(): cpuhp_cpufreq_online() | -> cpufreq_online() | -> cpufreq_gov_performance_limits() | -> __cpufreq_driver_target() | -> __target_index() | -> cpufreq_freq_transition_begin() | -> cpufreq_notify_transition() | -> ... __kvmclock_cpufreq_notifier() Pero, en realidad, activar dichos bloqueos es m\u00e1s que raro debido a la combinaci\u00f3n de dependencias y tiempos involucrados. Por ejemplo, el notificador cpufreq solo se usa en CPU m\u00e1s antiguas sin un TSC constante, es muy poco com\u00fan alterar la mitigaci\u00f3n de p\u00e1ginas enormes de NX mientras las m\u00e1quinas virtuales se est\u00e1n ejecutando, y hacerlo mientras tambi\u00e9n se conecta o desconecta una CPU (necesario para generar contenci\u00f3n en cpu_hotplug_lock) ser\u00eda a\u00fan m\u00e1s inusual. La soluci\u00f3n m\u00e1s s\u00f3lida para el problema general de cpu_hotplug_lock es probablemente cambiar vm_list para que sea una lista protegida por RCU, por ejemplo, para que el notificador cpufreq de x86 no tome kvm_lock. Por ahora, conform\u00e9monos con arreglar el bloqueo m\u00e1s evidente, ya que cambiar a una lista protegida por RCU es un cambio mucho m\u00e1s complejo, pero agregue un comentario en locking.rst para indicar que se debe tener cuidado al recorrer manteniendo kvm_lock y recorrer vm_list. ======================================================== ADVERTENCIA: posible dependencia de bloqueo circular detectada 6.10.0-smp--c257535a0c9d-pip #330 Tainted: GSO ------------------------------------------------------ tee/35048 est\u00e1 intentando adquirir el bloqueo: ff6a80eced71e0a8 (&kvm->slots_lock){+.+.}-{3:3}, en: set_nx_huge_pages+0x179/0x1e0 [kvm] pero la tarea ya tiene el bloqueo: ffffffffc07abb08 (kvm_lock){+.+.}-{3:3}, en: set_nx_huge_pages+0x14a/0x1e0 [kvm] cuyo bloqueo ya depende del nuevo bloqueo. la cadena de dependencia existente (en orden inverso) es: -> #3 (kvm_lock){+.+.}-{3:3}: __mutex_lock+0x6a/0xb40 mutex_lock_nested+0x1f/0x30 kvm_dev_ioctl+0x4fb/0xe50 [kvm] __se_sys_ioctl+0x7b/0xd0 __x64_sys_ioctl+0x21/0x30 x64_sys_call+0x15d0/0x2e60 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #2 (cpu_hotplug_lock){++++}-{0:0}: Bloqueo de lectura de CPU + 0x2e/0xb0 Clave est\u00e1tica lenta Inc + 0x16/0x30 Base de configuraci\u00f3n de lapic Lapic + 0x6a/0x1c0 [kvm] Base de configuraci\u00f3n de apic Lapic + 0x8f/0xe0 [kvm] MSR com\u00fan Lapic + 0x9ae/0xf80 [kvm] MSR vmx + 0xa54/0xbe0 [kvm_intel] MSR + 0xb6/0x1a0 [kvm] VCPUE ioctl + 0xeca/0x10c0 [kvm] VCPUE ioctl + 0x485/0x5b0 [kvm] SYS ioctl + 0x7b/0xd0 __x64_sys_ioctl+0x21/0x30 x64_sys_call+0x15d0/0x2e60 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&kvm->srcu){.+.+}-{0:0}: __synchronize_srcu+0x44/0x1a0 ---truncado---"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-667"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.3",
              "versionEndExcluding": "6.6.54",
              "matchCriteriaId": "20B4A42E-C497-4CCC-8414-F646F1E472AD"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.7",
              "versionEndExcluding": "6.10.13",
              "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "6.11",
              "versionEndExcluding": "6.11.2",
              "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/44d17459626052a2390457e550a12cb973506b2f",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/4777225ec89f52bb9ca16a33cfb44c189f1b7b47",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/760a196e6dcb29580e468b44b5400171dae184d8",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/a2764afce521fd9fd7a5ff6ed52ac2095873128a",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    }
  ]
}