CVE-2024-40953 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin() Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the loads and stores are atomic. In the extremely unlikely scenario the compiler tears the stores, it's theoretically possible for KVM to attempt to get a vCPU using an out-of-bounds index, e.g. if the write is split into multiple 8-bit stores, and is paired with a 32-bit load on a VM with 257 vCPUs: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; As detected by KCSAN: BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) value changed: 0x00000012 -> 0x00000000

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Linux	Linux Kernel

No data.

References

Link	Providers
https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17
https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb
https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180
https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84
https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a
https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c
https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60
https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20
https://lore.kernel.org/linux-cve-announce/2024071223-CVE-2024-40953-8685@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-40953
https://www.cve.org/CVERecord?id=CVE-2024-40953

History

Fri, 08 Nov 2024 16:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17 https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180

Tue, 22 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 22 Oct 2024 14:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84 https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a

Thu, 12 Sep 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-07-12T12:31:56.832Z

Updated: 2025-05-04T09:18:40.758Z

Reserved: 2024-07-12T12:17:45.592Z

Link: CVE-2024-40953

Vulnrichment

Updated: 2024-08-02T04:39:55.851Z

NVD

Status : Awaiting Analysis

Published: 2024-07-12T13:15:17.560

Modified: 2024-11-21T09:31:56.280

Link: CVE-2024-40953

Redhat

Severity : Moderate

Publid Date: 2024-07-12T00:00:00Z

Links: CVE-2024-40953 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40953", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-12T12:17:45.592Z", "datePublished": "2024-07-12T12:31:56.832Z", "dateUpdated": "2025-05-04T09:18:40.758Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:18:40.758Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["virt/kvm/kvm_main.c"], "versions": [{"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "11a772d5376aa6d3e2e69b5b5c585f79b60c0e17", "status": "affected", "versionType": "git"}, {"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "4c141136a28421b78f34969b25a4fa32e06e2180", "status": "affected", "versionType": "git"}, {"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84", "status": "affected", "versionType": "git"}, {"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "82bd728a06e55f5b5f93d10ce67f4fe7e689853a", "status": "affected", "versionType": "git"}, {"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "92c77807d938145c7c3350c944ef9f39d7f6017c", "status": "affected", "versionType": "git"}, {"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "a937ef951bba72f48d2402451419d725d70dba20", "status": "affected", "versionType": "git"}, {"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "95c8dd79f3a14df96b3820b35b8399bd91b2be60", "status": "affected", "versionType": "git"}, {"version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "49f683b41f28918df3e51ddc0d928cb2e934ccdb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["virt/kvm/kvm_main.c"], "versions": [{"version": "2.6.39", "status": "affected"}, {"version": "0", "lessThan": "2.6.39", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.323", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.285", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.228", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.169", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.96", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.36", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.7", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "4.19.323"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "5.4.285"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "5.10.228"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "5.15.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.1.96"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.6.36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.9.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.39", "versionEndExcluding": "6.10"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17"}, {"url": "https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180"}, {"url": "https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84"}, {"url": "https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a"}, {"url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c"}, {"url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20"}, {"url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60"}, {"url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb"}], "title": "KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.851Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40953", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:03:52.034893Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:24.499Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:39:55.851Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40953", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:03:52.034893Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:22.465Z"}}], "cna": {"title": "KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "11a772d5376aa6d3e2e69b5b5c585f79b60c0e17", "versionType": "git"}, {"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "4c141136a28421b78f34969b25a4fa32e06e2180", "versionType": "git"}, {"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84", "versionType": "git"}, {"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "82bd728a06e55f5b5f93d10ce67f4fe7e689853a", "versionType": "git"}, {"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "92c77807d938145c7c3350c944ef9f39d7f6017c", "versionType": "git"}, {"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "a937ef951bba72f48d2402451419d725d70dba20", "versionType": "git"}, {"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "95c8dd79f3a14df96b3820b35b8399bd91b2be60", "versionType": "git"}, {"status": "affected", "version": "217ece6129f2d3b4fdd18d9e79be9e43d8d14a42", "lessThan": "49f683b41f28918df3e51ddc0d928cb2e934ccdb", "versionType": "git"}], "programFiles": ["virt/kvm/kvm_main.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.39"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.39", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.323", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.285", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.228", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.169", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.96", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.36", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.9.7", "versionType": "semver", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["virt/kvm/kvm_main.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17"}, {"url": "https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180"}, {"url": "https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84"}, {"url": "https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a"}, {"url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c"}, {"url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20"}, {"url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60"}, {"url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T09:08:50.435Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40953", "state": "PUBLISHED", "dateUpdated": "2024-12-19T09:08:50.435Z", "dateReserved": "2024-07-12T12:17:45.592Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-12T12:31:56.832Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\n\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\n\n CPU0 CPU1\n last_boosted_vcpu = 0xff;\n\n (last_boosted_vcpu = 0x100)\n last_boosted_vcpu[15:8] = 0x01;\n i = (last_boosted_vcpu = 0x1ff)\n last_boosted_vcpu[7:0] = 0x00;\n\n vcpu = kvm->vcpu_array[0x1ff];\n\nAs detected by KCSAN:\n\n BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\n\n write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t arch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\n kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\n handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\n vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\n\t\t\tarch/x86/kvm/vmx/vmx.c:6606) kvm_intel\n vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\n kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\n kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n __x64_sys_ioctl (fs/ioctl.c:890)\n x64_sys_call (arch/x86/entry/syscall_64.c:33)\n do_syscall_64 (arch/x86/entry/common.c:?)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\n value changed: 0x00000012 -> 0x00000000"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: KVM: solucione una ejecuci\u00f3n de datos en last_boosted_vcpu en kvm_vcpu_on_spin() Utilice {READ,WRITE}_ONCE() para acceder a kvm->last_boosted_vcpu para garantizar que las cargas y los almacenes sean at\u00f3micos. En el escenario extremadamente improbable de que el compilador rompa los almacenes, es te\u00f3ricamente posible que KVM intente obtener una vCPU utilizando un \u00edndice fuera de los l\u00edmites, por ejemplo, si la escritura se divide en varios almacenes de 8 bits y se combina con un 32 -carga de bits en una VM con 257 vCPU: CPU0 CPU1 last_boosted_vcpu = 0xff; (last_boosted_vcpu = 0x100) last_boosted_vcpu[15:8] = 0x01; i = (last_boosted_vcpu = 0x1ff) last_boosted_vcpu[7:0] = 0x00; vcpu = kvm->vcpu_array[0x1ff]; Seg\u00fan lo detectado por KCSAN: ERROR: KCSAN: ejecuci\u00f3n de datos en kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm] escribe en 0xffffc90025a92344 de 4 bytes por tarea 4340 en la CPU 16: kvm_vcpu_on_spin (arch/x86/kvm/../../. ./virt/kvm/kvm_main.c:4112) kvm handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm /vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c :890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) Entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64 .S:130) le\u00eddo en 0xffffc90025a92344 de 4 bytes por la tarea 4342 en la CPU 4: kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm handle_pause (arch/ x86/kvm/vmx/vmx.c:5929) kvm_intel vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:? arch/x86/kvm/vmx/vmx.c:6606) kvm_intel vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86 .c:?) kvm kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm __se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890) __x64_sys_ioctl (fs/ioctl.c:890) x64_sys_call (arch/x86/entry/syscall_64.c:33) do_syscall_64 (arch/x86/entry/common.c:?) Entry_SYSCALL_64_after_hwframe (arch/ x86/entry/entry_64.S:130) valor cambiado: 0x00000012 -> 0x00000000"}], "id": "CVE-2024-40953", "lastModified": "2024-11-21T09:31:56.280", "metrics": {}, "published": "2024-07-12T13:15:17.560", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()", "id": "2297537", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297537"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()\nUse {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the\nloads and stores are atomic. In the extremely unlikely scenario the\ncompiler tears the stores, it's theoretically possible for KVM to attempt\nto get a vCPU using an out-of-bounds index, e.g. if the write is split\ninto multiple 8-bit stores, and is paired with a 32-bit load on a VM with\n257 vCPUs:\nCPU0 CPU1\nlast_boosted_vcpu = 0xff;\n(last_boosted_vcpu = 0x100)\nlast_boosted_vcpu[15:8] = 0x01;\ni = (last_boosted_vcpu = 0x1ff)\nlast_boosted_vcpu[7:0] = 0x00;\nvcpu = kvm->vcpu_array[0x1ff];\nAs detected by KCSAN:\nBUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]\nwrite to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:\nkvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm\nhandle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\nvmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\narch/x86/kvm/vmx/vmx.c:6606) kvm_intel\nvcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\nkvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\nkvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n__x64_sys_ioctl (fs/ioctl.c:890)\nx64_sys_call (arch/x86/entry/syscall_64.c:33)\ndo_syscall_64 (arch/x86/entry/common.c:?)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nread to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:\nkvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm\nhandle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel\nvmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?\narch/x86/kvm/vmx/vmx.c:6606) kvm_intel\nvcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm\nkvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm\nkvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm\n__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)\n__x64_sys_ioctl (fs/ioctl.c:890)\nx64_sys_call (arch/x86/entry/syscall_64.c:33)\ndo_syscall_64 (arch/x86/entry/common.c:?)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nvalue changed: 0x00000012 -> 0x00000000"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-40953", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40953\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40953\nhttps://lore.kernel.org/linux-cve-announce/2024071223-CVE-2024-40953-8685@gregkh/T"], "statement": "Red Hat Enterprise Linux is not impacted by this CVE, as the vulnerability in question does not affect the specific versions or configurations of the Linux kernel used in its distributions. This ensures that users of Red Hat Enterprise Linux are not exposed to the potential risks associated with this issue, and no further action or mitigation is necessary for systems running this operating system.", "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object