CVE-2024-42240 x86/bhi: Avoid warning in #DB handler due to BHI mitigation

2024-08-0715:14:27

Linux

www.cve.org

linux kernel

x86

bhi mitigation

sysenter

tf flag

issue

warning

#db handler

clear_bhb_loop

segmentation fault

exc_debug_kernel

exc_invalid_op

clear_bhb_loop

EPSS

Percentile

5.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

x86/bhi: Avoid warning in #DB handler due to BHI mitigation

When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
(exc_debug_kernel()) to issue a warning because single-step is used outside the
entry_SYSENTER_compat() function.

To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
after making sure the TF flag is cleared.

The problem can be reproduced with the following sequence:

$ cat sysenter_step.c
int main()
{ asm(“pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter”); }

$ gcc -o sysenter_step sysenter_step.c

$ ./sysenter_step
Segmentation fault (core dumped)

The program is expected to crash, and the #DB handler will issue a warning.

Kernel log:

WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
…
RIP: 0010:exc_debug_kernel+0xd2/0x160
…
Call Trace:
<#DB>
? show_regs+0x68/0x80
? __warn+0x8c/0x140
? exc_debug_kernel+0xd2/0x160
? report_bug+0x175/0x1a0
? handle_bug+0x44/0x90
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? exc_debug_kernel+0xd2/0x160
exc_debug+0x43/0x50
asm_exc_debug+0x1e/0x40
RIP: 0010:clear_bhb_loop+0x0/0xb0
…
</#DB>
<TASK>
? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
</TASK>

[ bp: Massage commit message. ]

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/entry/entry_64_compat.S"
    ],
    "versions": [
      {
        "version": "bd53ec80f218",
        "lessThan": "db56615e96c4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "07dbb10f153f",
        "lessThan": "a765679defe1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "eb36b0dce213",
        "lessThan": "dae3543db8f0",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7390db8aea0d",
        "lessThan": "08518d48e5b7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7390db8aea0d",
        "lessThan": "ac8b270b61d4",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/entry/entry_64_compat.S"
    ],
    "versions": [
      {
        "version": "6.9",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.9",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.163",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.100",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.41",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.10",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]