CVE-2024-35804

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: x86: Mark target gfn of emulated atomic instruction as dirty<br /> <br /> When emulating an atomic access on behalf of the guest, mark the target<br /> gfn dirty if the CMPXCHG by KVM is attempted and doesn&amp;#39;t fault. This<br /> fixes a bug where KVM effectively corrupts guest memory during live<br /> migration by writing to guest memory without informing userspace that the<br /> page is dirty.<br /> <br /> Marking the page dirty got unintentionally dropped when KVM&amp;#39;s emulated<br /> CMPXCHG was converted to do a user access. Before that, KVM explicitly<br /> mapped the guest page into kernel memory, and marked the page dirty during<br /> the unmap phase.<br /> <br /> Mark the page dirty even if the CMPXCHG fails, as the old data is written<br /> back on failure, i.e. the page is still written. The value written is<br /> guaranteed to be the same because the operation is atomic, but KVM&amp;#39;s ABI<br /> is that all writes are dirty logged regardless of the value written. And<br /> more importantly, that&amp;#39;s what KVM did before the buggy commit.<br /> <br /> Huge kudos to the folks on the Cc list (and many others), who did all the<br /> actual work of triaging and debugging.<br /> <br /> base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64