7.8
HIGH
CVE-2024-41070
KVM powerpc PPCHV Use-After-Free
Description

In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF.

INFO

Published Date :

July 29, 2024, 3:15 p.m.

Last Modified :

Nov. 21, 2024, 9:32 a.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

5.9

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-41070 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-41070.

URL Resource
https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 Patch
https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a Patch
https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf Patch
https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe Patch
https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63 Patch
https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47 Patch
https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491 Patch
https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 Patch
https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a Patch
https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf Patch
https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe Patch
https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63 Patch
https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47 Patch
https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491 Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-41070 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-41070 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0
    Added Reference https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a
    Added Reference https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf
    Added Reference https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe
    Added Reference https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63
    Added Reference https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47
    Added Reference https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491
  • Initial Analysis by [email protected]

    Aug. 22, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 No Types Assigned https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 Patch
    Changed Reference Type https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a No Types Assigned https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a Patch
    Changed Reference Type https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf No Types Assigned https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf Patch
    Changed Reference Type https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe No Types Assigned https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe Patch
    Changed Reference Type https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63 No Types Assigned https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63 Patch
    Changed Reference Type https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47 No Types Assigned https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47 Patch
    Changed Reference Type https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491 No Types Assigned https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491 Patch
    Added CWE NIST CWE-416
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 5.4.281 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.223 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.164 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.101 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.42 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.9.11
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Jul. 29, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF.
    Added Reference kernel.org https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-41070 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-41070 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
:
© cvefeed.io
Latest DB Update: May. 12, 2025 15:41