{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-58083", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-03-06T15:52:09.183Z", "datePublished": "2025-03-06T16:13:45.631Z", "dateUpdated": "2025-03-24T15:38:47.724Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:38:47.724Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Explicitly verify target vCPU is online in kvm_get_vcpu()\n\nExplicitly verify the target vCPU is fully online _prior_ to clamping the\nindex in kvm_get_vcpu(). If the index is \"bad\", the nospec clamping will\ngenerate '0', i.e. KVM will return vCPU0 instead of NULL.\n\nIn practice, the bug is unlikely to cause problems, as it will only come\ninto play if userspace or the guest is buggy or misbehaving, e.g. KVM may\nsend interrupts to vCPU0 instead of dropping them on the floor.\n\nHowever, returning vCPU0 when it shouldn't exist per online_vcpus is\nproblematic now that KVM uses an xarray for the vCPUs array, as KVM needs\nto insert into the xarray before publishing the vCPU to userspace (see\ncommit c5b077549136 (\"KVM: Convert the kvm->vcpus array to a xarray\")),\ni.e. before vCPU creation is guaranteed to succeed.\n\nAs a result, incorrectly providing access to vCPU0 will trigger a\nuse-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()\nbails out of vCPU creation due to an error and frees vCPU0. Commit\nafb2acb2e3a3 (\"KVM: Fix vcpu_array[0] races\") papered over that issue, but\nin doing so introduced an unsolvable teardown conundrum. Preventing\naccesses to vCPU0 before it's fully online will allow reverting commit\nafb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/kvm_host.h"], "versions": [{"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "5cce2ed69b00e022b5cdf0c49c82986abd2941a8", "status": "affected", "versionType": "git"}, {"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "09d50ccf0b2d739db4a485b08afe7520a4402a63", "status": "affected", "versionType": "git"}, {"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "7c4899239d0f70f88ac42665b3da51678d122480", "status": "affected", "versionType": "git"}, {"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "d817e510662fd1c9797952408d94806f97a5fffd", "status": "affected", "versionType": "git"}, {"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "125da53b3c0c9d7f58353aea0076e9efd6498ba7", "status": "affected", "versionType": "git"}, {"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "f2f805ada63b536bc192458a7098388286568ad4", "status": "affected", "versionType": "git"}, {"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "ca8da90ed1432ff3d000de4f1e2275d4e7d21b96", "status": "affected", "versionType": "git"}, {"version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c", "lessThan": "1e7381f3617d14b3c11da80ff5f8a93ab14cfc46", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/kvm_host.h"], "versions": [{"version": "5.1", "status": "affected"}, {"version": "0", "lessThan": "5.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.129", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.78", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.14", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.3", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/5cce2ed69b00e022b5cdf0c49c82986abd2941a8"}, {"url": "https://git.kernel.org/stable/c/09d50ccf0b2d739db4a485b08afe7520a4402a63"}, {"url": "https://git.kernel.org/stable/c/7c4899239d0f70f88ac42665b3da51678d122480"}, {"url": "https://git.kernel.org/stable/c/d817e510662fd1c9797952408d94806f97a5fffd"}, {"url": "https://git.kernel.org/stable/c/125da53b3c0c9d7f58353aea0076e9efd6498ba7"}, {"url": "https://git.kernel.org/stable/c/f2f805ada63b536bc192458a7098388286568ad4"}, {"url": "https://git.kernel.org/stable/c/ca8da90ed1432ff3d000de4f1e2275d4e7d21b96"}, {"url": "https://git.kernel.org/stable/c/1e7381f3617d14b3c11da80ff5f8a93ab14cfc46"}], "title": "KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Explicitly verify target vCPU is online in kvm_get_vcpu()\n\nExplicitly verify the target vCPU is fully online _prior_ to clamping the\nindex in kvm_get_vcpu(). If the index is \"bad\", the nospec clamping will\ngenerate '0', i.e. KVM will return vCPU0 instead of NULL.\n\nIn practice, the bug is unlikely to cause problems, as it will only come\ninto play if userspace or the guest is buggy or misbehaving, e.g. KVM may\nsend interrupts to vCPU0 instead of dropping them on the floor.\n\nHowever, returning vCPU0 when it shouldn't exist per online_vcpus is\nproblematic now that KVM uses an xarray for the vCPUs array, as KVM needs\nto insert into the xarray before publishing the vCPU to userspace (see\ncommit c5b077549136 (\"KVM: Convert the kvm->vcpus array to a xarray\")),\ni.e. before vCPU creation is guaranteed to succeed.\n\nAs a result, incorrectly providing access to vCPU0 will trigger a\nuse-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()\nbails out of vCPU creation due to an error and frees vCPU0. Commit\nafb2acb2e3a3 (\"KVM: Fix vcpu_array[0] races\") papered over that issue, but\nin doing so introduced an unsolvable teardown conundrum. Preventing\naccesses to vCPU0 before it's fully online will allow reverting commit\nafb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: verificar expl\u00edcitamente que la vCPU de destino est\u00e9 en l\u00ednea en kvm_get_vcpu() Verifique expl\u00edcitamente que la vCPU de destino est\u00e9 completamente en l\u00ednea _antes_ de fijar el \u00edndice en kvm_get_vcpu(). Si el \u00edndice es \"malo\", la fijaci\u00f3n nospec generar\u00e1 '0', es decir, KVM devolver\u00e1 vCPU0 en lugar de NULL. En la pr\u00e1ctica, es poco probable que el error cause problemas, ya que solo entrar\u00e1 en juego si el espacio de usuario o el invitado tienen errores o se comportan mal, por ejemplo, KVM puede enviar interrupciones a vCPU0 en lugar de dejarlas en el suelo. Sin embargo, devolver vCPU0 cuando no deber\u00eda existir seg\u00fan online_vcpus es problem\u00e1tico ahora que KVM usa una matriz x para la matriz vCPUs, ya que KVM necesita insertar en la matriz x antes de publicar la vCPU en el espacio de usuario (consulte el commit c5b077549136 (\"KVM: Convertir la matriz kvm->vcpus en una matriz x\")), es decir, antes de que se garantice que la creaci\u00f3n de la vCPU sea exitosa. Como resultado, proporcionar acceso incorrectamente a vCPU0 activar\u00e1 un uso despu\u00e9s de liberaci\u00f3n si se desreferencia a vCPU0 y kvm_vm_ioctl_create_vcpu() abandona la creaci\u00f3n de la vCPU debido a un error y libera vCPU0. El commit afb2acb2e3a3 (\"KVM: Reparar las ejecuciones vcpu_array[0]\") disimul\u00f3 ese problema, pero al hacerlo introdujo un enigma de desmontaje irresoluble. Evitar accesos a vCPU0 antes de que est\u00e9 completamente en l\u00ednea permitir\u00e1 revertir el commit afb2acb2e3a3, sin volver a introducir la ejecuci\u00f3n UAF vcpu_array[0]. "}], "id": "CVE-2024-58083", "lastModified": "2025-03-13T13:15:46.247", "metrics": {}, "published": "2025-03-06T17:15:21.773", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/09d50ccf0b2d739db4a485b08afe7520a4402a63"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/125da53b3c0c9d7f58353aea0076e9efd6498ba7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e7381f3617d14b3c11da80ff5f8a93ab14cfc46"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5cce2ed69b00e022b5cdf0c49c82986abd2941a8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7c4899239d0f70f88ac42665b3da51678d122480"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ca8da90ed1432ff3d000de4f1e2275d4e7d21b96"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d817e510662fd1c9797952408d94806f97a5fffd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f2f805ada63b536bc192458a7098388286568ad4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()", "id": "2350388", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2350388"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: Explicitly verify target vCPU is online in kvm_get_vcpu()\nExplicitly verify the target vCPU is fully online _prior_ to clamping the\nindex in kvm_get_vcpu(). If the index is \"bad\", the nospec clamping will\ngenerate '0', i.e. KVM will return vCPU0 instead of NULL.\nIn practice, the bug is unlikely to cause problems, as it will only come\ninto play if userspace or the guest is buggy or misbehaving, e.g. KVM may\nsend interrupts to vCPU0 instead of dropping them on the floor.\nHowever, returning vCPU0 when it shouldn't exist per online_vcpus is\nproblematic now that KVM uses an xarray for the vCPUs array, as KVM needs\nto insert into the xarray before publishing the vCPU to userspace (see\ncommit c5b077549136 (\"KVM: Convert the kvm->vcpus array to a xarray\")),\ni.e. before vCPU creation is guaranteed to succeed.\nAs a result, incorrectly providing access to vCPU0 will trigger a\nuse-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()\nbails out of vCPU creation due to an error and frees vCPU0. Commit\nafb2acb2e3a3 (\"KVM: Fix vcpu_array[0] races\") papered over that issue, but\nin doing so introduced an unsolvable teardown conundrum. Preventing\naccesses to vCPU0 before it's fully online will allow reverting commit\nafb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race."], "name": "CVE-2024-58083", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-58083\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-58083\nhttps://lore.kernel.org/linux-cve-announce/2025030610-CVE-2024-58083-62b7@gregkh/T"], "threat_severity": "Moderate"}