{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38610", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-18T19:36:34.942Z", "datePublished": "2024-06-19T13:56:12.083Z", "dateUpdated": "2024-11-05T09:30:54.706Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:30:54.706Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/virt/acrn/mm.c"], "versions": [{"version": "b9c43aa0b18d", "lessThan": "5c6705aa47b5", "status": "affected", "versionType": "git"}, {"version": "8a6e85f75a83", "lessThan": "afeb0e696276", "status": "affected", "versionType": "git"}, {"version": "8a6e85f75a83", "lessThan": "e873f36ec890", "status": "affected", "versionType": "git"}, {"version": "8a6e85f75a83", "lessThan": "4c4ba3cf3a15", "status": "affected", "versionType": "git"}, {"version": "8a6e85f75a83", "lessThan": "2c8d6e24930b", "status": "affected", "versionType": "git"}, {"version": "8a6e85f75a83", "lessThan": "3d6586008f7b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/virt/acrn/mm.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.161", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.93", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.33", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8.12", "lessThanOrEqual": "6.8.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.9.3", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a"}, {"url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32"}, {"url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6"}, {"url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4"}, {"url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb"}, {"url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559"}], "title": "drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-24T18:14:59.732296Z", "id": "CVE-2024-38610", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T18:15:07.284Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:12:25.993Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38610", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-24T18:14:59.732296Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T18:15:04.471Z"}}], "cna": {"title": "drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "b9c43aa0b18d", "lessThan": "5c6705aa47b5", "versionType": "git"}, {"status": "affected", "version": "8a6e85f75a83", "lessThan": "afeb0e696276", "versionType": "git"}, {"status": "affected", "version": "8a6e85f75a83", "lessThan": "e873f36ec890", "versionType": "git"}, {"status": "affected", "version": "8a6e85f75a83", "lessThan": "4c4ba3cf3a15", "versionType": "git"}, {"status": "affected", "version": "8a6e85f75a83", "lessThan": "2c8d6e24930b", "versionType": "git"}, {"status": "affected", "version": "8a6e85f75a83", "lessThan": "3d6586008f7b", "versionType": "git"}], "programFiles": ["drivers/virt/acrn/mm.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.18"}, {"status": "unaffected", "version": "0", "lessThan": "5.18", "versionType": "custom"}, {"status": "unaffected", "version": "5.15.161", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.93", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.33", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.8.12", "versionType": "custom", "lessThanOrEqual": "6.8.*"}, {"status": "unaffected", "version": "6.9.3", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/virt/acrn/mm.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a"}, {"url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32"}, {"url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6"}, {"url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4"}, {"url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb"}, {"url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-15T06:49:01.613Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38610", "state": "PUBLISHED", "dateUpdated": "2024-07-15T06:49:01.613Z", "dateReserved": "2024-06-18T19:36:34.942Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-06-19T13:56:12.083Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\n\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\n\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\n\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\n\n\nThis patch (of 3):\n\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n\n(1) We're not checking PTE write permissions.\n\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n\n(2) We're not rejecting refcounted pages.\n\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n\n(3) We are only looking at the first PTE of a bigger range.\n\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers/virt/acrn: corrige las comprobaciones de PFNMAP PTE en acrn_vm_ram_map() Serie de parches \"mm: mejoras en follow_pte() y correcciones en acrn follow_pte()\". El parche n.\u00ba 1 soluciona varios problemas que detect\u00e9 en el controlador acrn. Se compila, eso es todo lo que s\u00e9. Apreciar\u00e9 algunas revisiones y pruebas por parte de la gente de acrn. El parche #2+#3 mejora follow_pte(), pasa un VMA en lugar del MM, agrega m\u00e1s controles de cordura y mejora la documentaci\u00f3n. Lo prob\u00e9 r\u00e1pidamente en x86-64 usando VM_PAT y termin\u00f3 usando follow_pte(). Este parche (de 3): Actualmente no manejamos varios casos, lo que resulta en un uso peligroso de follow_pte() (anteriormente follow_pfn()). (1) No estamos verificando los permisos de escritura de PTE. \u00bfQuiz\u00e1s simplemente deber\u00edamos requerir siempre pte_write() como lo hacemos para pin_user_pages_fast(FOLL_WRITE)? Es dif\u00edcil saberlo, as\u00ed que busquemos ACRN_MEM_ACCESS_WRITE por ahora. (2) No rechazamos p\u00e1ginas recontadas. Como no utilizamos notificadores MMU, jugar con p\u00e1ginas descontadas es peligroso y puede resultar en use-after-free. Asegur\u00e9monos de rechazarlos. (3) S\u00f3lo estamos ante el primer PTE de una gama mayor. Solo buscamos una PTE, pero memmap->len puede abarcar un \u00e1rea m\u00e1s grande. Recorramos todos los PTE involucrados y asegur\u00e9monos de que el rango de PFN sea realmente contiguo. Rechace todo lo dem\u00e1s: no podr\u00eda haber funcionado de ninguna manera, y m\u00e1s bien utiliz\u00f3 PFN de acceso a los que no deber\u00edamos acceder."}], "id": "CVE-2024-38610", "lastModified": "2024-06-20T12:43:25.663", "metrics": {}, "published": "2024-06-19T14:15:20.893", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2c8d6e24930b8ef7d4a81787627c559ae0e0d3bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d6586008f7b638f91f3332602592caa8b00b559"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4c4ba3cf3a15ccfbaf787d0296fa42cdb00da9b4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5c6705aa47b5b78d7ad36fea832bb69caa5bf49a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/afeb0e69627695f759fc73c39c1640dbf8649b32"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e873f36ec890bece26ecce850e969917bceebbb6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()", "id": "2293354", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293354"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-99", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()\nPatch series \"mm: follow_pte() improvements and acrn follow_pte() fixes\".\nPatch #1 fixes a bunch of issues I spotted in the acrn driver. It\ncompiles, that's all I know. I'll appreciate some review and testing from\nacrn folks.\nPatch #2+#3 improve follow_pte(), passing a VMA instead of the MM, adding\nmore sanity checks, and improving the documentation. Gave it a quick test\non x86-64 using VM_PAT that ends up using follow_pte().\nThis patch (of 3):\nWe currently miss handling various cases, resulting in a dangerous\nfollow_pte() (previously follow_pfn()) usage.\n(1) We're not checking PTE write permissions.\nMaybe we should simply always require pte_write() like we do for\npin_user_pages_fast(FOLL_WRITE)? Hard to tell, so let's check for\nACRN_MEM_ACCESS_WRITE for now.\n(2) We're not rejecting refcounted pages.\nAs we are not using MMU notifiers, messing with refcounted pages is\ndangerous and can result in use-after-free. Let's make sure to reject them.\n(3) We are only looking at the first PTE of a bigger range.\nWe only lookup a single PTE, but memmap->len may span a larger area.\nLet's loop over all involved PTEs and make sure the PFN range is\nactually contiguous. Reject everything else: it couldn't have worked\neither way, and rather made use access PFNs we shouldn't be accessing."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-38610", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38610\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38610\nhttps://lore.kernel.org/linux-cve-announce/2024061921-CVE-2024-38610-21f9@gregkh/T"], "statement": "Red Hat Enterprise Linux is not impacted by this CVE, as the vulnerability in question does not affect the specific versions or configurations of the Linux kernel used in its distributions. This ensures that users of Red Hat Enterprise Linux are not exposed to the potential risks associated with this issue, and no further action or mitigation is necessary for systems running this operating system.", "threat_severity": "Moderate", "upstream_fix": "kernel 5.15.161, kernel 6.1.93, kernel 6.6.33, kernel 6.8.12, kernel 6.9.3, kernel 6.10-rc1"}