CVE-2024-35804

{"id": "CVE-2024-35804", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-17T14:15:13.550", "references": [{"url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: marcar el gfn de destino de la instrucci\u00f3n at\u00f3mica emulada como sucia Al emular un acceso at\u00f3mico en nombre del invitado, marque el gfn de destino como sucio si se intenta realizar el CMPXCHG por KVM y no falla. Esto corrige un error por el cual KVM corrompe efectivamente la memoria del invitado durante la migraci\u00f3n en vivo al escribir en la memoria del invitado sin informar al espacio de usuario que la p\u00e1gina est\u00e1 sucia. Marcar la p\u00e1gina como sucia se elimin\u00f3 involuntariamente cuando el CMPXCHG emulado de KVM se convirti\u00f3 para realizar un acceso de usuario. Antes de eso, KVM asignaba expl\u00edcitamente la p\u00e1gina invitada a la memoria del kernel y marcaba la p\u00e1gina como sucia durante la fase de desasignaci\u00f3n. Marque la p\u00e1gina como sucia incluso si CMPXCHG falla, ya que los datos antiguos se vuelven a escribir en caso de fallo, es decir, la p\u00e1gina a\u00fan est\u00e1 escrita. Se garantiza que el valor escrito ser\u00e1 el mismo porque la operaci\u00f3n es at\u00f3mica, pero la ABI de KVM es que todas las escrituras se registran de forma sucia independientemente del valor escrito. Y lo que es m\u00e1s importante, eso es lo que hizo KVM antes de la confirmaci\u00f3n del error. Felicitaciones enormes a las personas en la lista Cc (y a muchos otros), que hicieron todo el trabajo de clasificaci\u00f3n y depuraci\u00f3n. confirmaci\u00f3n base: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64"}], "lastModified": "2025-09-19T15:58:56.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68D983D7-04C4-4500-BF8E-CA2340EB197E", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.15.58"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91C8C459-1749-4BA8-B57B-E19335243827", "versionEndExcluding": "5.18", "versionStartIncluding": "5.17.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBACD95B-732F-4957-8DA5-5103D50703F2", "versionEndExcluding": "6.1.84", "versionStartIncluding": "5.18.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8018C1D0-0A5F-48D0-BC72-A2B33FDDA693", "versionEndExcluding": "6.6.24", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BE9771A-BAFD-4624-95F9-58D536540C53", "versionEndExcluding": "6.7.12", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F02056A5-B362-4370-9FF8-6F0BD384D520"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62075ACE-B2A0-4B16-829D-B3DA5AE5CC41"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A780F817-2A77-4130-A9B7-5C25606314E3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEB9199B-AB8F-4877-8964-E2BA95B5F15C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9B8A5CE-6D20-4C36-AC01-ACA4B70003A8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}