Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2024-50275 | First vendor Publication | 2024-11-19 |
| Vendor | Cve | Last vendor Modification | 2024-12-14 |
Security-Database Scoring CVSS v3
| Cvss vector : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | |||
|---|---|---|---|
| Overall CVSS Score | 7 | ||
| Base Score | 7 | Environmental Score | 7 |
| impact SubScore | 5.9 | Temporal Score | 7 |
| Exploitabality Sub Score | 1 | ||
| Attack Vector | Local | Attack Complexity | High |
| Privileges Required | Low | User Interaction | None |
| Scope | Unchanged | Confidentiality Impact | High |
| Integrity Impact | High | Availability Impact | High |
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : | |||
|---|---|---|---|
| Cvss Base Score | N/A | Attack Range | N/A |
| Cvss Impact Score | N/A | Attack Complexity | N/A |
| Cvss Expoit Score | N/A | Authentication | N/A |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| In the Linux kernel, the following vulnerability has been resolved: arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/ The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. | void do_sve_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | if (test_and_set_thread_flag(TIF_SVE)) | WARN_ON(1); /* SVE access shouldn't have trapped */ | | sve_init_regs() { | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | ... | } else { | fpsimd_to_sve(current); | current->thread.fp_type = FP_STATE_SVE; | } | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SVE traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50275 |
CPE : Common Platform Enumeration
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2025-03-29 03:43:05 |
|
| 2025-03-28 13:46:47 |
|
| 2025-03-28 03:20:48 |
|
| 2025-03-19 03:15:58 |
|
| 2025-03-18 03:28:56 |
|
| 2025-03-14 03:16:08 |
|
| 2025-03-06 14:12:42 |
|
| 2025-02-22 03:26:15 |
|
| 2025-01-08 03:07:10 |
|
| 2025-01-07 03:06:43 |
|
| 2024-12-25 03:05:20 |
|
| 2024-12-15 00:20:34 |
|
| 2024-12-12 03:08:14 |
|
| 2024-11-27 21:23:13 |
|
| 2024-11-20 03:02:01 |
|
| 2024-11-20 03:01:14 |
|
| 2024-11-20 00:20:28 |
|
| 2024-11-19 09:20:29 |
|
