CVE-2024-35801 x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

2024-05-1713:23:10

Linux

www.cve.org

linux kernel

vulnerability

xfd state

msr_ia32_xfd

cpu hotplug

xfd_set_state

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

Commit 672365477ae8 (“x86/fpu: Update XFD state where required”) and
commit 8bf26758ca96 (“x86/fpu: Add XFD state to fpstate”) introduced a
per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in
order to avoid unnecessary writes to the MSR.

On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which
wipes out any stale state. But the per CPU cached xfd value is not
reset, which brings them out of sync.

As a consequence a subsequent xfd_update_state() might fail to update
the MSR which in turn can result in XRSTOR raising a #NM in kernel
space, which crashes the kernel.

To fix this, introduce xfd_set_state() to write xfd_state together
with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/kernel/fpu/xstate.c",
      "arch/x86/kernel/fpu/xstate.h"
    ],
    "versions": [
      {
        "version": "672365477ae8",
        "lessThan": "21c7c00dae55",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "672365477ae8",
        "lessThan": "1acbca933313",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "672365477ae8",
        "lessThan": "92b0f04e9376",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "672365477ae8",
        "lessThan": "b61e3b7055ac",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "672365477ae8",
        "lessThan": "10e4b5166df9",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/kernel/fpu/xstate.c",
      "arch/x86/kernel/fpu/xstate.h"
    ],
    "versions": [
      {
        "version": "5.16",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.16",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.84",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.24",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7.12",
        "lessThanOrEqual": "6.7.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.3",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]