CVE-2024-50114

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50114
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50114.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50114
Downstream
Related
Published
2024-11-05T17:10:45Z
Modified
2025-10-17T15:22:05.952971Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
KVM: arm64: Unregister redistributor for failed vCPU creation
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Unregister redistributor for failed vCPU creation

Alex reports that syzkaller has managed to trigger a use-after-free when tearing down a VM:

BUG: KASAN: slab-use-after-free in kvmputkvm+0x300/0xe68 virt/kvm/kvm_main.c:5769 Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758

CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64 Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317 showstack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324 dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x94/0xc0 lib/dumpstack.c:119 printreport+0x144/0x7a4 mm/kasan/report.c:377 kasanreport+0xcc/0x128 mm/kasan/report.c:601 _asanreportload8noabort+0x20/0x2c mm/kasan/reportgeneric.c:381 kvmputkvm+0x300/0xe68 virt/kvm/kvmmain.c:5769 kvmvmrelease+0x4c/0x60 virt/kvm/kvmmain.c:1409 _fput+0x198/0x71c fs/filetable.c:422 fput+0x20/0x30 fs/filetable.c:450 taskworkrun+0x1cc/0x23c kernel/taskwork.c:228 donotifyresume+0x144/0x1a0 include/linux/resumeusermode.h:50 el0svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169 el0t64synchandler+0x90/0xfc arch/arm64/kernel/entry-common.c:730 el0t64sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Upon closer inspection, it appears that we do not properly tear down the MMIO registration for a vCPU that fails creation late in the game, e.g. a vCPU w/ the same ID already exists in the VM.

It is important to consider the context of commit that introduced this bug by moving the unregistration out of _kvmvgicvcpudestroy(). That change correctly sought to avoid an srcu v. configlock inversion by breaking up the vCPU teardown into two parts, one guarded by the configlock.

Fix the use-after-free while avoiding lock inversion by adding a special-cased unregistration to _kvmvgicvcpudestroy(). This is safe because failed vCPUs are torn down outside of the config_lock.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f616506754d34bcfdbfbc7508b562e5c98461e9a
Fixed
6bcc2890b883ba1d16b8942937750565f6e9db0d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f616506754d34bcfdbfbc7508b562e5c98461e9a
Fixed
ae8f8b37610269009326f4318df161206c59843e

Affected versions

v6.*

v6.11
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.12-rc1

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6bcc2890b883ba1d16b8942937750565f6e9db0d",
        "signature_version": "v1",
        "target": {
            "file": "arch/arm64/kvm/vgic/vgic-init.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "198219921291760649706412147976746078230",
                "89484065301224217845884033342850126929",
                "58637773610345544761345137604092740861",
                "184205103461505936569695260765730965744",
                "173324824256488817712449022604322811787"
            ]
        },
        "id": "CVE-2024-50114-3cd4b436"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ae8f8b37610269009326f4318df161206c59843e",
        "signature_version": "v1",
        "target": {
            "file": "arch/arm64/kvm/vgic/vgic-init.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "198219921291760649706412147976746078230",
                "89484065301224217845884033342850126929",
                "58637773610345544761345137604092740861",
                "184205103461505936569695260765730965744",
                "173324824256488817712449022604322811787"
            ]
        },
        "id": "CVE-2024-50114-ac9fb7f1"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6bcc2890b883ba1d16b8942937750565f6e9db0d",
        "signature_version": "v1",
        "target": {
            "function": "__kvm_vgic_vcpu_destroy",
            "file": "arch/arm64/kvm/vgic/vgic-init.c"
        },
        "digest": {
            "function_hash": "175298002912900877355319267002213647787",
            "length": 327.0
        },
        "id": "CVE-2024-50114-b834e5ab"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ae8f8b37610269009326f4318df161206c59843e",
        "signature_version": "v1",
        "target": {
            "function": "__kvm_vgic_vcpu_destroy",
            "file": "arch/arm64/kvm/vgic/vgic-init.c"
        },
        "digest": {
            "function_hash": "175298002912900877355319267002213647787",
            "length": 327.0
        },
        "id": "CVE-2024-50114-f0800102"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.6