CVE-2024-35791

HIGH

Linux Kernel 4.19.176-4.19.x - Use-After-Free in svm_register_enc_region

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated. I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory.

References (7)

Core 7

Core References

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Patch

https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d

Patch

https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7

Patch

https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865

Patch

https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4

Patch

https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a

Patch

https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807

Scores

CVSS v3 7.8

EPSS 0.0003

EPSS Percentile 8.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-416

Status published

Products (23)

debian/debian_linux 10.0

Linux/Linux < 5.11

Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - 12f8e32a5a389a5d58afc67728c76e61beee1ad4

Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - 4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865

Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807

Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - e126b508ed2e616d679d85fca2fbe77bb48bbdd7

Linux/Linux 19a23da53932bc8011220bd8c410cb76012de004 - f6d53d8a2617dd58c89171a6b9610c470ebda38a

Linux/Linux 4.19.176 - 4.20

Linux/Linux 4f627ecde7329e476a077bb0590db8f27bb8f912 - 2d13b79640b147bd77c34a5998533b2021a4122d

Linux/Linux 5.10.15 - 5.10.215

... and 13 more

Published May 17, 2024

Tracked Since Feb 18, 2026