CVE-2024-50114: KVM: arm64: Unregister redistributor for failed vCPU creation
First published: Tue Nov 05 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unregister redistributor for failed vCPU creation Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM: BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758 CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119 print_report+0x144/0x7a4 mm/kasan/report.c:377 kasan_report+0xcc/0x128 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409 __fput+0x198/0x71c fs/file_table.c:422 ____fput+0x20/0x30 fs/file_table.c:450 task_work_run+0x1cc/0x23c kernel/task_work.c:228 do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50 el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM. It is important to consider the context of commit that introduced this bug by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That change correctly sought to avoid an srcu v. config_lock inversion by breaking up the vCPU teardown into two parts, one guarded by the config_lock. Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe because failed vCPUs are torn down outside of the config_lock.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | >=6.11<6.11.6 | |
| Linux Kernel | =6.12-rc1 | |
| Linux Kernel | =6.12-rc2 | |
| Linux Kernel | =6.12-rc3 | |
| Linux Kernel | =6.12-rc4 | |
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.20-1 6.12.21-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/6bcc2890b883ba1d16b8942937750565f6e9db0d
- https://git.kernel.org/stable/c/ae8f8b37610269009326f4318df161206c59843e
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50114
- https://nvd.nist.gov/vuln/detail/CVE-2024-50114
- https://launchpad.net/bugs/cve/CVE-2024-50114
- https://security-tracker.debian.org/tracker/CVE-2024-50114
- https://ubuntu.com/security/CVE-2024-50114
- https://git.kernel.org/linus/ae8f8b37610269009326f4318df161206c59843e
Frequently Asked Questions
What is the severity of CVE-2024-50114?
CVE-2024-50114 is classified as a use-after-free vulnerability in the Linux kernel affecting KVM on arm64.
How do I fix CVE-2024-50114?
To address CVE-2024-50114, upgrade the Linux kernel to versions 6.11.6 or later, or to 6.12-rc1 or later.
Which versions of the Linux kernel are affected by CVE-2024-50114?
CVE-2024-50114 affects Linux kernel versions from 6.11 up to 6.11.6, as well as versions 6.12-rc1, 6.12-rc2, 6.12-rc3, and 6.12-rc4.
What is the impact of CVE-2024-50114?
The impact of CVE-2024-50114 can lead to potential denial of service or arbitrary code execution due to the use-after-free condition.
Who reported CVE-2024-50114?
CVE-2024-50114 was reported by a security researcher named Alex, who utilized syzkaller to trigger the vulnerability.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/description
- agent/event
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/6.11
- version/linux kernel/6.12-rc1
- version/linux kernel/6.12-rc2
- version/linux kernel/6.12-rc3
- version/linux kernel/6.12-rc4
- package-manager/debian