{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-50114","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T19:36:19.947Z","datePublished":"2024-11-05T17:10:45.984Z","dateUpdated":"2025-05-04T09:46:20.535Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:46:20.535Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unregister redistributor for failed vCPU creation\n\nAlex reports that syzkaller has managed to trigger a use-after-free when\ntearing down a VM:\n\n  BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n  Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758\n\n  CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64\n  Hardware name: linux,dummy-virt (DT)\n  Call trace:\n   dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317\n   show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324\n   __dump_stack lib/dump_stack.c:93 [inline]\n   dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119\n   print_report+0x144/0x7a4 mm/kasan/report.c:377\n   kasan_report+0xcc/0x128 mm/kasan/report.c:601\n   __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381\n   kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769\n   kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409\n   __fput+0x198/0x71c fs/file_table.c:422\n   ____fput+0x20/0x30 fs/file_table.c:450\n   task_work_run+0x1cc/0x23c kernel/task_work.c:228\n   do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50\n   el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169\n   el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730\n   el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598\n\nUpon closer inspection, it appears that we do not properly tear down the\nMMIO registration for a vCPU that fails creation late in the game, e.g.\na vCPU w/ the same ID already exists in the VM.\n\nIt is important to consider the context of commit that introduced this bug\nby moving the unregistration out of __kvm_vgic_vcpu_destroy(). That\nchange correctly sought to avoid an srcu v. config_lock inversion by\nbreaking up the vCPU teardown into two parts, one guarded by the\nconfig_lock.\n\nFix the use-after-free while avoiding lock inversion by adding a\nspecial-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe\nbecause failed vCPUs are torn down outside of the config_lock."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kvm/vgic/vgic-init.c"],"versions":[{"version":"f616506754d34bcfdbfbc7508b562e5c98461e9a","lessThan":"6bcc2890b883ba1d16b8942937750565f6e9db0d","status":"affected","versionType":"git"},{"version":"f616506754d34bcfdbfbc7508b562e5c98461e9a","lessThan":"ae8f8b37610269009326f4318df161206c59843e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kvm/vgic/vgic-init.c"],"versions":[{"version":"6.11","status":"affected"},{"version":"0","lessThan":"6.11","status":"unaffected","versionType":"semver"},{"version":"6.11.6","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.11.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.11","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/6bcc2890b883ba1d16b8942937750565f6e9db0d"},{"url":"https://git.kernel.org/stable/c/ae8f8b37610269009326f4318df161206c59843e"}],"title":"KVM: arm64: Unregister redistributor for failed vCPU creation","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-50114","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-12-11T14:28:29.483370Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-11T14:58:34.119Z"}}]}}