Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-46830

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/09/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: x86: Acquire kvm-&gt;srcu when handling KVM_SET_VCPU_EVENTS<br /> <br /> Grab kvm-&gt;srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly<br /> leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX<br /> reads guest memory.<br /> <br /> Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN<br /> via sync_regs(), which already holds SRCU. I.e. trying to precisely use<br /> kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause<br /> problems. Acquiring SRCU isn&amp;#39;t all that expensive, so for simplicity,<br /> grab it unconditionally for KVM_SET_VCPU_EVENTS.<br /> <br /> =============================<br /> WARNING: suspicious RCU usage<br /> 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted<br /> -----------------------------<br /> include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!<br /> <br /> other info that might help us debug this:<br /> <br /> rcu_scheduler_active = 2, debug_locks = 1<br /> 1 lock held by repro/1071:<br /> #0: ffff88811e424430 (&amp;vcpu-&gt;mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]<br /> <br /> stack backtrace:<br /> CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x7f/0x90<br /> lockdep_rcu_suspicious+0x13f/0x1a0<br /> kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]<br /> kvm_vcpu_read_guest+0x3e/0x90 [kvm]<br /> nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]<br /> load_vmcs12_host_state+0x432/0xb40 [kvm_intel]<br /> vmx_leave_nested+0x30/0x40 [kvm_intel]<br /> kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]<br /> kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]<br /> ? mark_held_locks+0x49/0x70<br /> ? kvm_vcpu_ioctl+0x7d/0x970 [kvm]<br /> ? kvm_vcpu_ioctl+0x497/0x970 [kvm]<br /> kvm_vcpu_ioctl+0x497/0x970 [kvm]<br /> ? lock_acquire+0xba/0x2d0<br /> ? find_held_lock+0x2b/0x80<br /> ? do_user_addr_fault+0x40c/0x6f0<br /> ? lock_release+0xb7/0x270<br /> __x64_sys_ioctl+0x82/0xb0<br /> do_syscall_64+0x6c/0x170<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7ff11eb1b539<br />

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 6.1.110 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.51 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.10.10 (excluding)
cpe:2.3:o:linux:linux_kernel:5.10.97:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.15.19:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools