CVE-2024-35804
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-35804
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35804.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-35804
- Downstream
- Related
- Published
- 2024-05-17T13:23:12.895Z
- Modified
- 2025-11-27T02:32:18.377441Z
- Summary
- KVM: x86: Mark target gfn of emulated atomic instruction as dirty
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Mark target gfn of emulated atomic instruction as dirty
When emulating an atomic access on behalf of the guest, mark the target gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This fixes a bug where KVM effectively corrupts guest memory during live migration by writing to guest memory without informing userspace that the page is dirty.
Marking the page dirty got unintentionally dropped when KVM's emulated CMPXCHG was converted to do a user access. Before that, KVM explicitly mapped the guest page into kernel memory, and marked the page dirty during the unmap phase.
Mark the page dirty even if the CMPXCHG fails, as the old data is written back on failure, i.e. the page is still written. The value written is guaranteed to be the same because the operation is atomic, but KVM's ABI is that all writes are dirty logged regardless of the value written. And more importantly, that's what KVM did before the buggy commit.
Huge kudos to the folks on the Cc list (and many others), who did all the actual work of triaging and debugging.
base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2024/35xxx/CVE-2024-35804.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71
- https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06
- https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902
- https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551
- https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd97c0667c1e61ded6639117b4b9584a9c12b7e66Fixeda9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1c2361f667f3648855ceae25f1332c18413fdb9fFixed726374dde5d608b15b9756bd52b6fc283fda7a06
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1c2361f667f3648855ceae25f1332c18413fdb9fFixed9d1b22e573a3789ed1f32033ee709106993ba551
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1c2361f667f3648855ceae25f1332c18413fdb9fFixed225d587a073584946c05c9b7651d637bd45c0c71
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1c2361f667f3648855ceae25f1332c18413fdb9fFixed910c57dfa4d113aae6571c2a8b9ae8c430975902
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedb0f294103f4cf733e23d3f0c4e5fd58e42998921
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectede964665cc7ca13a16992b205fce63554b9efc78b
Linux / Kernel
Package
- Name
- Kernel