CVE-2024-57951

In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to CPUHP_ONLINE: Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set to 1 throughout. However, during a CPU unplug operation, the tick and the clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online state, for instance CFS incorrectly assumes that the hrtick is already active, and the chance of the clockevent device to transition to oneshot mode is also lost forever for the CPU, unless it goes back to a lower state than CPUHP_HRTIMERS_PREPARE once. This round-trip reveals another issue; cpu_base.online is not set to 1 after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer(). Aside of that, the bulk of the per CPU state is not reset either, which means there are dangling pointers in the worst case. Address this by adding a corresponding startup() callback, which resets the stale per CPU state and sets the online flag. [ tglx: Make the new callback unconditionally available, remove the online modification in the prepare() callback and clear the remaining state in the starting callback instead of the prepare callback ]

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7	Patch
https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a	Patch
https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686	Patch
https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28	Patch
https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75	Patch
https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a	Patch
https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.13:rc7::::::

History

14 Feb 2025, 15:57

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hrtimers: Controlar el estado de la CPU correctamente en hotplug Considere un escenario donde una CPU pasa de CPUHP_ONLINE a la mitad de un hotunplug de CPU hasta CPUHP_HRTIMERS_PREPARE, y luego vuelve a CPUHP_ONLINE: Dado que hrtimers_prepare_cpu() no se ejecuta, cpu_base.hres_active permanece establecido en 1 durante todo el proceso. Sin embargo, durante una operación de desconexión de la CPU, el tick y los clockevents se apagan en CPUHP_AP_TICK_DYING. Al volver al estado en línea, por ejemplo, CFS supone incorrectamente que el hrtick ya está activo, y la posibilidad de que el dispositivo clockevent pase al modo one-shot también se pierde para siempre para la CPU, a menos que vuelva a un estado inferior a CPUHP_HRTIMERS_PREPARE una vez. Este viaje de ida y vuelta revela otro problema; cpu_base.online no se establece en 1 después de la transición, lo que aparece como WARN_ON_ONCE en enqueue_hrtimer(). Aparte de eso, la mayor parte del estado por CPU tampoco se restablece, lo que significa que hay punteros inactivos en el peor de los casos. Resuelva esto agregando una devolución de llamada startup() correspondiente, que restablece el estado obsoleto por CPU y establece el indicador en línea. [ tglx: haga que la nueva devolución de llamada esté disponible incondicionalmente, elimine la modificación en línea en la devolución de llamada prepare() y borre el estado restante en la devolución de llamada de inicio en lugar de la devolución de llamada de preparación ]
CPE		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.13:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.13:rc1::::::
First Time		Linux Linux linux Kernel
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-416
References	~~() https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7 -~~	() https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7 - Patch
References	~~() https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a -~~	() https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a - Patch
References	~~() https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686 -~~	() https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686 - Patch
References	~~() https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28 -~~	() https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28 - Patch
References	~~() https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75 -~~	() https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75 - Patch
References	~~() https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a -~~	() https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a - Patch
References	~~() https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc -~~	() https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc - Patch

12 Feb 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-12 14:15

Updated : 2025-02-14 15:57

NVD link : CVE-2024-57951

Mitre link : CVE-2024-57951

CVE.ORG link : CVE-2024-57951

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2024-57951", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-12T14:15:31.403", "references": [{"url": "https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhrtimers: Handle CPU state correctly on hotplug\n\nConsider a scenario where a CPU transitions from CPUHP_ONLINE to halfway\nthrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to\nCPUHP_ONLINE:\n\nSince hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set\nto 1 throughout. However, during a CPU unplug operation, the tick and the\nclockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online\nstate, for instance CFS incorrectly assumes that the hrtick is already\nactive, and the chance of the clockevent device to transition to oneshot\nmode is also lost forever for the CPU, unless it goes back to a lower state\nthan CPUHP_HRTIMERS_PREPARE once.\n\nThis round-trip reveals another issue; cpu_base.online is not set to 1\nafter the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().\n\nAside of that, the bulk of the per CPU state is not reset either, which\nmeans there are dangling pointers in the worst case.\n\nAddress this by adding a corresponding startup() callback, which resets the\nstale per CPU state and sets the online flag.\n\n[ tglx: Make the new callback unconditionally available, remove the online\n \tmodification in the prepare() callback and clear the remaining\n \tstate in the starting callback instead of the prepare callback ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hrtimers: Controlar el estado de la CPU correctamente en hotplug Considere un escenario donde una CPU pasa de CPUHP_ONLINE a la mitad de un hotunplug de CPU hasta CPUHP_HRTIMERS_PREPARE, y luego vuelve a CPUHP_ONLINE: Dado que hrtimers_prepare_cpu() no se ejecuta, cpu_base.hres_active permanece establecido en 1 durante todo el proceso. Sin embargo, durante una operaci\u00f3n de desconexi\u00f3n de la CPU, el tick y los clockevents se apagan en CPUHP_AP_TICK_DYING. Al volver al estado en l\u00ednea, por ejemplo, CFS supone incorrectamente que el hrtick ya est\u00e1 activo, y la posibilidad de que el dispositivo clockevent pase al modo one-shot tambi\u00e9n se pierde para siempre para la CPU, a menos que vuelva a un estado inferior a CPUHP_HRTIMERS_PREPARE una vez. Este viaje de ida y vuelta revela otro problema; cpu_base.online no se establece en 1 despu\u00e9s de la transici\u00f3n, lo que aparece como WARN_ON_ONCE en enqueue_hrtimer(). Aparte de eso, la mayor parte del estado por CPU tampoco se restablece, lo que significa que hay punteros inactivos en el peor de los casos. Resuelva esto agregando una devoluci\u00f3n de llamada startup() correspondiente, que restablece el estado obsoleto por CPU y establece el indicador en l\u00ednea. [ tglx: haga que la nueva devoluci\u00f3n de llamada est\u00e9 disponible incondicionalmente, elimine la modificaci\u00f3n en l\u00ednea en la devoluci\u00f3n de llamada prepare() y borre el estado restante en la devoluci\u00f3n de llamada de inicio en lugar de la devoluci\u00f3n de llamada de preparaci\u00f3n ]"}], "lastModified": "2025-02-14T15:57:18.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2AB35967-8241-4BF5-B781-B331B439E208", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.302"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D484C596-D387-4551-B727-6BC0B030AA70", "versionEndExcluding": "5.4.290", "versionStartIncluding": "5.4.264"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33F01B45-42CA-4B50-B3A4-7A67DB1A534B", "versionEndExcluding": "5.10.234", "versionStartIncluding": "5.10.204"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "477F2C85-CBB5-44FD-85D9-2AF8197641CB", "versionEndExcluding": "5.15.177", "versionStartIncluding": "5.15.143"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D5FDA4DE-7749-464F-85A4-56CE4C6B7A15", "versionEndExcluding": "6.1.127", "versionStartIncluding": "6.1.68"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "823FCD43-4F73-4C5C-BDA7-21CE53729898", "versionEndExcluding": "6.6.74", "versionStartIncluding": "6.6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7D0DBC3-F63C-4396-8A47-6F3D4FA0556E", "versionEndExcluding": "6.12.11", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

7.8 /10