ghsa-6mv6-cjvx-gfvm
Vulnerability from github
Published
2024-12-27 15:31
Modified
2024-12-27 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: arm64: Get rid of userspace_irqchip_in_use

Improper use of userspace_irqchip_in_use led to syzbot hitting the following WARN_ON() in kvm_timer_update_irq():

WARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/arch_timer.c:459 kvm_timer_update_irq+0x21c/0x394 Call trace: kvm_timer_update_irq+0x21c/0x394 arch/arm64/kvm/arch_timer.c:459 kvm_timer_vcpu_reset+0x158/0x684 arch/arm64/kvm/arch_timer.c:968 kvm_reset_vcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264 kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline] kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline] kvm_arch_vcpu_ioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695 kvm_vcpu_ioctl+0x4ec/0xf74 virt/kvm/kvm_main.c:4658 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x108/0x184 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The following sequence led to the scenario: - Userspace creates a VM and a vCPU. - The vCPU is initialized with KVM_ARM_VCPU_PMU_V3 during KVM_ARM_VCPU_INIT. - Without any other setup, such as vGIC or vPMU, userspace issues KVM_RUN on the vCPU. Since the vPMU is requested, but not setup, kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change(). As a result, KVM_RUN returns after enabling the timer, but before incrementing 'userspace_irqchip_in_use': kvm_arch_vcpu_run_pid_change() ret = kvm_arm_pmu_v3_enable() if (!vcpu->arch.pmu.created) return -EINVAL; if (ret) return ret; [...] if (!irqchip_in_kernel(kvm)) static_branch_inc(&userspace_irqchip_in_use); - Userspace ignores the error and issues KVM_ARM_VCPU_INIT again. Since the timer is already enabled, control moves through the following flow, ultimately hitting the WARN_ON(): kvm_timer_vcpu_reset() if (timer->enabled) kvm_timer_update_irq() if (!userspace_irqchip()) ret = kvm_vgic_inject_irq() ret = vgic_lazy_init() if (unlikely(!vgic_initialized(kvm))) if (kvm->arch.vgic.vgic_model != KVM_DEV_TYPE_ARM_VGIC_V2) return -EBUSY; WARN_ON(ret);

Theoretically, since userspace_irqchip_in_use's functionality can be simply replaced by '!irqchip_in_kernel()', get rid of the static key to avoid the mismanagement, which also helps with the syzbot issue.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-53195"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T14:15:27Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Get rid of userspace_irqchip_in_use\n\nImproper use of userspace_irqchip_in_use led to syzbot hitting the\nfollowing WARN_ON() in kvm_timer_update_irq():\n\nWARNING: CPU: 0 PID: 3281 at arch/arm64/kvm/arch_timer.c:459\nkvm_timer_update_irq+0x21c/0x394\nCall trace:\n  kvm_timer_update_irq+0x21c/0x394 arch/arm64/kvm/arch_timer.c:459\n  kvm_timer_vcpu_reset+0x158/0x684 arch/arm64/kvm/arch_timer.c:968\n  kvm_reset_vcpu+0x3b4/0x560 arch/arm64/kvm/reset.c:264\n  kvm_vcpu_set_target arch/arm64/kvm/arm.c:1553 [inline]\n  kvm_arch_vcpu_ioctl_vcpu_init arch/arm64/kvm/arm.c:1573 [inline]\n  kvm_arch_vcpu_ioctl+0x112c/0x1b3c arch/arm64/kvm/arm.c:1695\n  kvm_vcpu_ioctl+0x4ec/0xf74 virt/kvm/kvm_main.c:4658\n  vfs_ioctl fs/ioctl.c:51 [inline]\n  __do_sys_ioctl fs/ioctl.c:907 [inline]\n  __se_sys_ioctl fs/ioctl.c:893 [inline]\n  __arm64_sys_ioctl+0x108/0x184 fs/ioctl.c:893\n  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n  invoke_syscall+0x78/0x1b8 arch/arm64/kernel/syscall.c:49\n  el0_svc_common+0xe8/0x1b0 arch/arm64/kernel/syscall.c:132\n  do_el0_svc+0x40/0x50 arch/arm64/kernel/syscall.c:151\n  el0_svc+0x54/0x14c arch/arm64/kernel/entry-common.c:712\n  el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730\n  el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nThe following sequence led to the scenario:\n - Userspace creates a VM and a vCPU.\n - The vCPU is initialized with KVM_ARM_VCPU_PMU_V3 during\n   KVM_ARM_VCPU_INIT.\n - Without any other setup, such as vGIC or vPMU, userspace issues\n   KVM_RUN on the vCPU. Since the vPMU is requested, but not setup,\n   kvm_arm_pmu_v3_enable() fails in kvm_arch_vcpu_run_pid_change().\n   As a result, KVM_RUN returns after enabling the timer, but before\n   incrementing \u0027userspace_irqchip_in_use\u0027:\n   kvm_arch_vcpu_run_pid_change()\n       ret = kvm_arm_pmu_v3_enable()\n           if (!vcpu-\u003earch.pmu.created)\n               return -EINVAL;\n       if (ret)\n           return ret;\n       [...]\n       if (!irqchip_in_kernel(kvm))\n           static_branch_inc(\u0026userspace_irqchip_in_use);\n - Userspace ignores the error and issues KVM_ARM_VCPU_INIT again.\n   Since the timer is already enabled, control moves through the\n   following flow, ultimately hitting the WARN_ON():\n   kvm_timer_vcpu_reset()\n       if (timer-\u003eenabled)\n          kvm_timer_update_irq()\n              if (!userspace_irqchip())\n                  ret = kvm_vgic_inject_irq()\n                      ret = vgic_lazy_init()\n                          if (unlikely(!vgic_initialized(kvm)))\n                              if (kvm-\u003earch.vgic.vgic_model !=\n                                  KVM_DEV_TYPE_ARM_VGIC_V2)\n                                      return -EBUSY;\n                  WARN_ON(ret);\n\nTheoretically, since userspace_irqchip_in_use\u0027s functionality can be\nsimply replaced by \u0027!irqchip_in_kernel()\u0027, get rid of the static key\nto avoid the mismanagement, which also helps with the syzbot issue.",
  "id": "GHSA-6mv6-cjvx-gfvm",
  "modified": "2024-12-27T15:31:51Z",
  "published": "2024-12-27T15:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53195"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38d7aacca09230fdb98a34194fec2af597e8e20d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c16e2dba39ff6ae84bb8dc9c8e0fb21d9b2f6f5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd2f9861f27571d47998d71e7516bf7216db0b52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe425d5239a28c21e0c83ee7a8f4cb210d29fdb4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…