{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-56761", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T11:26:39.762Z", "datePublished": "2025-01-06T16:20:41.112Z", "dateUpdated": "2025-01-09T15:35:58.337Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-09T15:35:58.337Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Clear WFE in missing-ENDBRANCH #CPs\n\nAn indirect branch instruction sets the CPU indirect branch tracker\n(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted\nacross the instruction boundary. When the decoder finds an\ninappropriate instruction while WFE is set ENDBR, the CPU raises a #CP\nfault.\n\nFor the \"kernel IBT no ENDBR\" selftest where #CPs are deliberately\ntriggered, the WFE state of the interrupted context needs to be\ncleared to let execution continue. Otherwise when the CPU resumes\nfrom the instruction that just caused the previous #CP, another\nmissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.\n\nThis is not a problem with IDT because it doesn't preserve WFE and\nIRET doesn't set WFE. But FRED provides space on the entry stack\n(in an expanded CS area) to save and restore the WFE state, thus the\nWFE state is no longer clobbered, so software must clear it.\n\nClear WFE to avoid dead looping in ibt_clear_fred_wfe() and the\n!ibt_fatal code path when execution is allowed to continue.\n\nClobbering WFE in any other circumstance is a security-relevant bug.\n\n[ dhansen: changelog rewording ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/cet.c"], "versions": [{"version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe", "lessThan": "151447859d6fb0dcce8259f0971c6e94fb801661", "status": "affected", "versionType": "git"}, {"version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe", "lessThan": "b939f108e86b76119428a6fa4e92491e09ac7867", "status": "affected", "versionType": "git"}, {"version": "a5f6c2ace9974adf92ce65dacca8126d90adabfe", "lessThan": "dc81e556f2a017d681251ace21bf06c126d5a192", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/cet.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.70", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.8", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/151447859d6fb0dcce8259f0971c6e94fb801661"}, {"url": "https://git.kernel.org/stable/c/b939f108e86b76119428a6fa4e92491e09ac7867"}, {"url": "https://git.kernel.org/stable/c/dc81e556f2a017d681251ace21bf06c126d5a192"}], "title": "x86/fred: Clear WFE in missing-ENDBRANCH #CPs", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9603956D-3787-4C93-B9F3-D1868F726960", "versionEndExcluding": "6.12.8", "versionStartIncluding": "6.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Clear WFE in missing-ENDBRANCH #CPs\n\nAn indirect branch instruction sets the CPU indirect branch tracker\n(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted\nacross the instruction boundary. When the decoder finds an\ninappropriate instruction while WFE is set ENDBR, the CPU raises a #CP\nfault.\n\nFor the \"kernel IBT no ENDBR\" selftest where #CPs are deliberately\ntriggered, the WFE state of the interrupted context needs to be\ncleared to let execution continue. Otherwise when the CPU resumes\nfrom the instruction that just caused the previous #CP, another\nmissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.\n\nThis is not a problem with IDT because it doesn't preserve WFE and\nIRET doesn't set WFE. But FRED provides space on the entry stack\n(in an expanded CS area) to save and restore the WFE state, thus the\nWFE state is no longer clobbered, so software must clear it.\n\nClear WFE to avoid dead looping in ibt_clear_fred_wfe() and the\n!ibt_fatal code path when execution is allowed to continue.\n\nClobbering WFE in any other circumstance is a security-relevant bug.\n\n[ dhansen: changelog rewording ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/fred: Borrar WFE en #CPs de ENDBRANCH faltantes Una instrucci\u00f3n de bifurcaci\u00f3n indirecta establece el rastreador de bifurcaci\u00f3n indirecta (IBT) de la CPU en estado WAIT_FOR_ENDBRANCH (WFE) y WFE permanece afirmado a trav\u00e9s del l\u00edmite de instrucci\u00f3n. Cuando el decodificador encuentra una instrucci\u00f3n inapropiada mientras WFE est\u00e1 establecido en ENDBR, la CPU genera un error #CP. Para la autoprueba \"IBT del kernel sin ENDBR\" donde los #CP se activan deliberadamente, el estado WFE del contexto interrumpido debe borrarse para permitir que la ejecuci\u00f3n contin\u00fae. De lo contrario, cuando la CPU se reanuda desde la instrucci\u00f3n que acaba de causar el #CP anterior, se genera otro #CP de ENDBRANCH faltante y la CPU entra en un bucle muerto. Esto no es un problema con IDT porque no preserva WFE e IRET no establece WFE. Pero FRED proporciona espacio en la pila de entrada (en un \u00e1rea CS expandida) para guardar y restaurar el estado WFE, por lo que el estado WFE ya no se ve afectado, por lo que el software debe limpiarlo. Limpie WFE para evitar bucles muertos en ibt_clear_fred_wfe() y la ruta de c\u00f3digo !ibt_fatal cuando se permite que la ejecuci\u00f3n contin\u00fae. Afectar a WFE en cualquier otra circunstancia es un error relevante para la seguridad. [ dhansen: reformulaci\u00f3n del registro de cambios ]"}], "id": "CVE-2024-56761", "lastModified": "2025-01-09T16:16:23.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-06T17:15:41.480", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/151447859d6fb0dcce8259f0971c6e94fb801661"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b939f108e86b76119428a6fa4e92491e09ac7867"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dc81e556f2a017d681251ace21bf06c126d5a192"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: x86/fred: Clear WFE in missing-ENDBRANCH #CPs", "id": "2335890", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2335890"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nx86/fred: Clear WFE in missing-ENDBRANCH #CPs\nAn indirect branch instruction sets the CPU indirect branch tracker\n(IBT) into WAIT_FOR_ENDBRANCH (WFE) state and WFE stays asserted\nacross the instruction boundary. When the decoder finds an\ninappropriate instruction while WFE is set ENDBR, the CPU raises a #CP\nfault.\nFor the \"kernel IBT no ENDBR\" selftest where #CPs are deliberately\ntriggered, the WFE state of the interrupted context needs to be\ncleared to let execution continue. Otherwise when the CPU resumes\nfrom the instruction that just caused the previous #CP, another\nmissing-ENDBRANCH #CP is raised and the CPU enters a dead loop.\nThis is not a problem with IDT because it doesn't preserve WFE and\nIRET doesn't set WFE. But FRED provides space on the entry stack\n(in an expanded CS area) to save and restore the WFE state, thus the\nWFE state is no longer clobbered, so software must clear it.\nClear WFE to avoid dead looping in ibt_clear_fred_wfe() and the\n!ibt_fatal code path when execution is allowed to continue.\nClobbering WFE in any other circumstance is a security-relevant bug.\n[ dhansen: changelog rewording ]"], "name": "CVE-2024-56761", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-56761\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56761\nhttps://lore.kernel.org/linux-cve-announce/2025010654-CVE-2024-56761-0be0@gregkh/T"], "threat_severity": "Moderate"}