CVE-2024-35791

一、漏洞信息
漏洞编号：CVE-2024-35791
漏洞归属组件：kernel
漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
CVSS V3.0分值：
BaseScore：0.0 None
Vector：CVSS：3.0/
漏洞简述：
In the Linux kernel, the following vulnerability has been resolved:KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()Do the cache flush of converted pages in svm_register_enc_region() beforedropping kvm->lock to fix use-after-free issues where region and/or itsarray of pages could be freed by a different task, e.g. if userspace has__unregister_enc_region_locked() already queued up for the region.Note, the obvious alternative of using local variables doesn t fullyresolve the bug, as region->pages is also dynamically allocated. I.e. theregion structure itself would be fine, but region->pages could be freed.Flushing multiple pages under kvm->lock is unfortunate, but the entireflow is a rare slow path, and the manual flush is only needed on CPUs thatlack coherency for encrypted memory.
漏洞公开时间：2024-05-17 21:15:58
漏洞创建时间：2024-05-17 13:41:40
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-35791

更多参考(点击展开)

参考来源	参考链接	来源链接
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35791	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2024-35791	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-35791.mbox	https://bugzilla.suse.com/show_bug.cgi?id=1224725
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2281052	https://bugzilla.suse.com/show_bug.cgi?id=1224725
redhat_bugzilla	https://lore.kernel.org/linux-cve-announce/2024051708-CVE-2024-35791-65ad@gregkh/T	https://bugzilla.redhat.com/show_bug.cgi?id=2281052
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:4823	https://bugzilla.redhat.com/show_bug.cgi?id=2281052
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:4831	https://bugzilla.redhat.com/show_bug.cgi?id=2281052
redhat_bugzilla	https://access.redhat.com/errata/RHSA-2024:6567	https://bugzilla.redhat.com/show_bug.cgi?id=2281052
ubuntu	https://www.cve.org/CVERecord?id=CVE-2024-35791	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://git.kernel.org/linus/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 (6.8)	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2024-35791	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://launchpad.net/bugs/cve/CVE-2024-35791	https://ubuntu.com/security/CVE-2024-35791
ubuntu	https://security-tracker.debian.org/tracker/CVE-2024-35791	https://ubuntu.com/security/CVE-2024-35791
debian		https://security-tracker.debian.org/tracker/CVE-2024-35791
cve_search		https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d
cve_search		https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7
cve_search		https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865
cve_search		https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4
cve_search		https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a
cve_search		https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
linux		https://git.kernel.org/linus/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807	https://git.kernel.org/linus/19a23da53932bc8011220bd8c410cb76012de004	ubuntu

二、漏洞分析结构反馈
影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()Do the cache flush of converted pages in svm_register_enc_region() beforedropping kvm->lock to fix use-after-free issues where region and/or itsarray of pages could be freed by a different task, e.g. if userspace has__unregister_enc_region_locked() already queued up for the region.Note, the obvious alternative of using local variables doesn t fullyresolve the bug, as region->pages is also dynamically allocated. I.e. theregion structure itself would be fine, but region->pages could be freed.Flushing multiple pages under kvm->lock is unfortunate, but the entireflow is a rare slow path, and the manual flush is only needed on CPUs thatlack coherency for encrypted memory.
openEuler评分：
5.5
Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
受影响版本排查(受影响/不受影响)：
1.openEuler-22.03-LTS-SP1(5.10.0):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-20.03-LTS-SP4(4.19.90):不受影响
5.master(6.6.0):不受影响
6.openEuler-24.03-LTS(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

原因说明：
1.master(6.6.0):
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP1(5.10.0):
4.openEuler-22.03-LTS-SP3(5.10.0):
5.openEuler-22.03-LTS-SP4(5.10.0):
6.openEuler-24.03-LTS(6.6.0):
7.openEuler-24.03-LTS-Next(6.6.0):

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@yangyingliang ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 ,@gasonchen
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-22.03-LTS-SP4:
10.openEuler-24.03-LTS:
11.openEuler-24.03-LTS-Next:

修复是否涉及abi变化(是/否)：
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-22.03-LTS-SP4:
10.openEuler-24.03-LTS:
11.openEuler-24.03-LTS-Next:

issue处理具体操作请参考:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2024-35791	None	None	https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865 https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7 https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4 https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a
https://ubuntu.com/security/CVE-2024-35791	None	None	https://discourse.ubuntu.com/c/ubuntu-pro
https://www.opencve.io/cve/CVE-2024-35791	None	None	https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865 https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7 https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4 https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-35791
https://security-tracker.debian.org/tracker/CVE-2024-35791

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

@guo-mengqi 请确认分支: master,openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-Next,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-Next 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

CVE-2024-35791

影响性分析说明：
In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()

Do the cache flush of converted pages in svm_register_enc_region() before
dropping kvm->lock to fix use-after-free issues where region and/or its
array of pages could be freed by a different task, e.g. if userspace has
__unregister_enc_region_locked() already queued up for the region.

Note, the "obvious" alternative of using local variables doesn't fully
resolve the bug, as region->pages is also dynamically allocated. I.e. the
region structure itself would be fine, but region->pages could be freed.

Flushing multiple pages under kvm->lock is unfortunate, but the entire
flow is a rare slow path, and the manual flush is only needed on CPUs that
lack coherency for encrypted memory.

openEuler评分:(评分和向量)
5.5
CVSS: 3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1:不受影响
2.openEuler-20.03-LTS-SP4:不受影响
3.openEuler-22.03-LTS:受影响
4.openEuler-22.03-LTS-SP1:受影响
5.openEuler-22.03-LTS-SP2:受影响
6.openEuler-22.03-LTS-SP3:受影响
7.master(6.1.0):不受影响
8.openEuler-22.03-LTS-Next:不受影响
9.openEuler-24.03-LTS:不受影响
10.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否

@guo-mengqi 请确认分支: openEuler-22.03-LTS-SP4 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

@ci-robot 请确认分支: openEuler-22.03-LTS-SP4 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.

@zhangjialin11 请确认分支: openEuler-22.03-LTS-SP4 受影响/不受影响.
请确认分支信息是否填写完整,否则将无法关闭当前issue.