Lucene search

LinuxCVE-2024-42240

HistoryAug 07, 2024 - 4:15 p.m.

CVE-2024-42240

2024-08-0716:15:46

CWE-835

Linux

web.nvd.nist.gov

linux kernel

vulnerability

cve-2024-42240

bhi mitigation

warning

#db handler

tf flag

sysenter

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

Percentile

5.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

x86/bhi: Avoid warning in #DB handler due to BHI mitigation

When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
(exc_debug_kernel()) to issue a warning because single-step is used outside the
entry_SYSENTER_compat() function.

To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
after making sure the TF flag is cleared.

The problem can be reproduced with the following sequence:

$ cat sysenter_step.c
int main()
{ asm(“pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter”); }

$ gcc -o sysenter_step sysenter_step.c

$ ./sysenter_step
Segmentation fault (core dumped)

The program is expected to crash, and the #DB handler will issue a warning.

Kernel log:

WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
…
RIP: 0010:exc_debug_kernel+0xd2/0x160
…
Call Trace:
<#DB>
? show_regs+0x68/0x80
? __warn+0x8c/0x140
? exc_debug_kernel+0xd2/0x160
? report_bug+0x175/0x1a0
? handle_bug+0x44/0x90
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? exc_debug_kernel+0xd2/0x160
exc_debug+0x43/0x50
asm_exc_debug+0x1e/0x40
RIP: 0010:clear_bhb_loop+0x0/0xb0
…
</#DB>
<TASK>
? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
</TASK>

[ bp: Massage commit message. ]

Affected configurations

Nvd

Vulners

Node

linuxlinux_kernelRange5.15.163–6.1.100

linuxlinux_kernelRange6.2–6.6.41

linuxlinux_kernelRange6.7–6.9.10

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/entry/entry_64_compat.S"
    ],
    "versions": [
      {
        "version": "bd53ec80f218",
        "lessThan": "db56615e96c4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "07dbb10f153f",
        "lessThan": "a765679defe1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "eb36b0dce213",
        "lessThan": "dae3543db8f0",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7390db8aea0d",
        "lessThan": "08518d48e5b7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7390db8aea0d",
        "lessThan": "ac8b270b61d4",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/entry/entry_64_compat.S"
    ],
    "versions": [
      {
        "version": "6.9",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.9",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.163",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.100",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.41",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.10",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]