CVE-2024-44943

{"id": "CVE-2024-44943", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-28T08:15:06.963", "references": [{"url": "https://git.kernel.org/stable/c/26273f5f4cf68b29414e403837093408a9c98e1f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f442fa6141379a20b48ae3efabee827a3d260787", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: gup: stop abusing try_grab_folio\n\nA kernel warning was reported when pinning folio in CMA memory when\nlaunching SEV virtual machine. The splat looks like:\n\n[ 464.325306] WARNING: CPU: 13 PID: 6734 at mm/gup.c:1313 __get_user_pages+0x423/0x520\n[ 464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: loaded Not tainted 6.6.33+ #6\n[ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520\n[ 464.325515] Call Trace:\n[ 464.325520] <TASK>\n[ 464.325523] ? __get_user_pages+0x423/0x520\n[ 464.325528] ? __warn+0x81/0x130\n[ 464.325536] ? __get_user_pages+0x423/0x520\n[ 464.325541] ? report_bug+0x171/0x1a0\n[ 464.325549] ? handle_bug+0x3c/0x70\n[ 464.325554] ? exc_invalid_op+0x17/0x70\n[ 464.325558] ? asm_exc_invalid_op+0x1a/0x20\n[ 464.325567] ? __get_user_pages+0x423/0x520\n[ 464.325575] __gup_longterm_locked+0x212/0x7a0\n[ 464.325583] internal_get_user_pages_fast+0xfb/0x190\n[ 464.325590] pin_user_pages_fast+0x47/0x60\n[ 464.325598] sev_pin_memory+0xca/0x170 [kvm_amd]\n[ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd]\n\nPer the analysis done by yangge, when starting the SEV virtual machine, it\nwill call pin_user_pages_fast(..., FOLL_LONGTERM, ...) to pin the memory. \nBut the page is in CMA area, so fast GUP will fail then fallback to the\nslow path due to the longterm pinnalbe check in try_grab_folio().\n\nThe slow path will try to pin the pages then migrate them out of CMA area.\nBut the slow path also uses try_grab_folio() to pin the page, it will\nalso fail due to the same check then the above warning is triggered.\n\nIn addition, the try_grab_folio() is supposed to be used in fast path and\nit elevates folio refcount by using add ref unless zero. We are guaranteed\nto have at least one stable reference in slow path, so the simple atomic add\ncould be used. The performance difference should be trivial, but the\nmisuse may be confusing and misleading.\n\nRedefined try_grab_folio() to try_grab_folio_fast(), and try_grab_page()\nto try_grab_folio(), and use them in the proper paths. This solves both\nthe abuse and the kernel warning.\n\nThe proper naming makes their usecase more clear and should prevent from\nabusing in the future.\n\npeterx said:\n\n: The user will see the pin fails, for gpu-slow it further triggers the WARN\n: right below that failure (as in the original report):\n: \n: folio = try_grab_folio(page, page_increm - 1,\n: foll_flags);\n: if (WARN_ON_ONCE(!folio)) { <------------------------ here\n: /*\n: * Release the 1st page ref if the\n: * folio is problematic, fail hard.\n: */\n: gup_put_folio(page_folio(page), 1,\n: foll_flags);\n: ret = -EFAULT;\n: goto out;\n: }\n\n[1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/\n\n[shy828301@gmail.com: fix implicit declaration of function try_grab_folio_fast]\n Link: https://lkml.kernel.org/r/CAHbLzkowMSso-4Nufc9hcMehQsK9PNz3OSu-+eniU-2Mm-xjhA@mail.gmail.com"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mm: gup: deja de abusar de try_grab_folio Se inform\u00f3 una advertencia del kernel al fijar folio en la memoria CMA al iniciar la m\u00e1quina virtual SEV. El s\u00edmbolo se ve as\u00ed: [464.325306] ADVERTENCIA: CPU: 13 PID: 6734 en mm/gup.c:1313 __get_user_pages+0x423/0x520 [464.325464] CPU: 13 PID: 6734 Comm: qemu-kvm Kdump: cargado No contaminado 6.6. 33+ #6 [ 464.325477] RIP: 0010:__get_user_pages+0x423/0x520 [ 464.325515] Seguimiento de llamadas: [ 464.325520] [ 464.325523] ? __get_user_pages+0x423/0x520 [464.325528] ? __advertir+0x81/0x130 [ 464.325536] ? __get_user_pages+0x423/0x520 [464.325541] ? report_bug+0x171/0x1a0 [464.325549]? handle_bug+0x3c/0x70 [464.325554]? exc_invalid_op+0x17/0x70 [464.325558]? asm_exc_invalid_op+0x1a/0x20 [464.325567]? __get_user_pages+0x423/0x520 [ 464.325575] __gup_longterm_locked+0x212/0x7a0 [ 464.325583] internal_get_user_pages_fast+0xfb/0x190 [ 464.325590] pin_user_pages_fast+0x47/0x60 [ 4 64.325598] sev_pin_memory+0xca/0x170 [kvm_amd] [ 464.325616] sev_mem_enc_register_region+0x81/0x130 [kvm_amd ] Seg\u00fan el an\u00e1lisis realizado por yangge, al iniciar la m\u00e1quina virtual SEV, llamar\u00e1 a pin_user_pages_fast(..., FOLL_LONGTERM, ...) para fijar la memoria. Pero la p\u00e1gina est\u00e1 en el \u00e1rea CMA, por lo que el GUP r\u00e1pido fallar\u00e1 y luego volver\u00e1 a la ruta lenta debido a la verificaci\u00f3n pinnalbe a largo plazo en try_grab_folio(). La ruta lenta intentar\u00e1 fijar las p\u00e1ginas y luego migrarlas fuera del \u00e1rea CMA. Pero la ruta lenta tambi\u00e9n usa try_grab_folio() para fijar la p\u00e1gina, tambi\u00e9n fallar\u00e1 debido a la misma verificaci\u00f3n y luego se activa la advertencia anterior. Adem\u00e1s, se supone que try_grab_folio() se usa en la ruta r\u00e1pida y eleva el recuento de folios usando add ref a menos que sea cero. Tenemos la garant\u00eda de tener al menos una referencia estable en una ruta lenta, por lo que se podr\u00eda utilizar la adici\u00f3n at\u00f3mica simple. La diferencia de rendimiento deber\u00eda ser trivial, pero el mal uso puede resultar confuso y enga\u00f1oso. Redefini\u00f3 try_grab_folio() a try_grab_folio_fast() y try_grab_page() a try_grab_folio(), y util\u00edcelos en las rutas adecuadas. Esto resuelve tanto el abuso como la advertencia del kernel. La denominaci\u00f3n adecuada aclara su caso de uso y deber\u00eda evitar abusos en el futuro. peterx dijo: El usuario ver\u00e1 que el pin falla, para gpu-slow activa a\u00fan m\u00e1s la ADVERTENCIA: justo debajo de ese error (como en el informe original): : : folio = try_grab_folio(page, page_increm - 1, : foll_flags); : if (WARN_ON_ONCE(!folio)) { &lt;------------------------ aqu\u00ed : /* : * Liberar la referencia de la primera p\u00e1gina si : * El folio es problem\u00e1tico, falla mucho. : */ : gup_put_folio(page_folio(p\u00e1gina), 1, : foll_flags); : ret = -EFALLO; : salir; : } [1] https://lore.kernel.org/linux-mm/1719478388-31917-1-git-send-email-yangge1116@126.com/ [shy828301@gmail.com: corrige la declaraci\u00f3n impl\u00edcita de la funci\u00f3n try_grab_folio_fast ] Enlace: https://lkml.kernel.org/r/CAHbLzkowMSso-4Nufc9hcMehQsK9PNz3OSu-+eniU-2Mm-xjhA@mail.gmail.com"}], "lastModified": "2024-09-10T18:12:43.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AABC43B-32BD-4F20-B41B-C817DB416EBB", "versionEndExcluding": "6.6.47", "versionStartIncluding": "6.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F46CA525-D593-408C-8762-DA4078542A27", "versionEndExcluding": "6.10", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EBB4392-5FA6-4DA9-9772-8F9C750109FA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "331C2F14-12C7-45D5-893D-8C52EE38EA10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3173713D-909A-4DD3-9DD4-1E171EB057EE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79F18AFA-40F7-43F0-BA30-7BDB65F918B9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD973AA4-A789-49BD-8D57-B2846935D3C7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F3E9E0C-AC3E-4967-AF80-6483E8AB0078"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.10:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11AF4CB9-F697-4EA4-8903-8F9417EFDA8E"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}