CVE-2024-36936

{"id": "CVE-2024-36936", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-30T16:15:16.713", "references": [{"url": "https://git.kernel.org/stable/c/1c5a1627f48105cbab81d25ec2f72232bfaa8185", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/781e34b736014188ba9e46a71535237313dcda81", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e115c1b5de55a105c75aba8eb08301c075fa4ef4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1c5a1627f48105cbab81d25ec2f72232bfaa8185", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/781e34b736014188ba9e46a71535237313dcda81", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/unaccepted: touch soft lockup during memory accept\n\nCommit 50e782a86c98 (\"efi/unaccepted: Fix soft lockups caused by\nparallel memory acceptance\") has released the spinlock so other CPUs can\ndo memory acceptance in parallel and not triggers softlockup on other\nCPUs.\n\nHowever the softlock up was intermittent shown up if the memory of the\nTD guest is large, and the timeout of softlockup is set to 1 second:\n\n RIP: 0010:_raw_spin_unlock_irqrestore\n Call Trace:\n ? __hrtimer_run_queues\n <IRQ>\n ? hrtimer_interrupt\n ? watchdog_timer_fn\n ? __sysvec_apic_timer_interrupt\n ? __pfx_watchdog_timer_fn\n ? sysvec_apic_timer_interrupt\n </IRQ>\n ? __hrtimer_run_queues\n <TASK>\n ? hrtimer_interrupt\n ? asm_sysvec_apic_timer_interrupt\n ? _raw_spin_unlock_irqrestore\n ? __sysvec_apic_timer_interrupt\n ? sysvec_apic_timer_interrupt\n accept_memory\n try_to_accept_memory\n do_huge_pmd_anonymous_page\n get_page_from_freelist\n __handle_mm_fault\n __alloc_pages\n __folio_alloc\n ? __tdx_hypercall\n handle_mm_fault\n vma_alloc_folio\n do_user_addr_fault\n do_huge_pmd_anonymous_page\n exc_page_fault\n ? __do_huge_pmd_anonymous_page\n asm_exc_page_fault\n __handle_mm_fault\n\nWhen the local irq is enabled at the end of accept_memory(), the\nsoftlockup detects that the watchdog on single CPU has not been fed for\na while. That is to say, even other CPUs will not be blocked by\nspinlock, the current CPU might be stunk with local irq disabled for a\nwhile, which hurts not only nmi watchdog but also softlockup.\n\nChao Gao pointed out that the memory accept could be time costly and\nthere was similar report before. Thus to avoid any softlocup detection\nduring this stage, give the softlockup a flag to skip the timeout check\nat the end of accept_memory(), by invoking touch_softlockup_watchdog()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: efi/unaccepted: toque el bloqueo suave durante la aceptaci\u00f3n de la memoria. El commit 50e782a86c98 (\"efi/unaccepted: solucione los bloqueos suaves causados por la aceptaci\u00f3n de la memoria paralela\") ha liberado el bloqueo de giro para que otras CPU puedan usar la memoria. aceptaci\u00f3n en paralelo y no activa el bloqueo suave en otras CPU. Sin embargo, el bloqueo suave se mostr\u00f3 de forma intermitente si la memoria del TD invitado es grande y el tiempo de espera del bloqueo suave se establece en 1 segundo: RIP: 0010:_raw_spin_unlock_irqrestore Seguimiento de llamadas:? __hrtimer_run_queues ? hrtimer_interrupt? watchdog_timer_fn? __sysvec_apic_timer_interrupt? __pfx_watchdog_timer_fn? sysvec_apic_timer_interrupt ? __hrtimer_run_queues ? hrtimer_interrupt? asm_sysvec_apic_timer_interrupt? _raw_spin_unlock_irqrestore? __sysvec_apic_timer_interrupt? sysvec_apic_timer_interrupt aceptar_memoria try_to_accept_memory do_huge_pmd_anonymous_page get_page_from_freelist __handle_mm_fault __alloc_pages __folio_alloc? __tdx_hypercall handle_mm_fault vma_alloc_folio do_user_addr_fault do_huge_pmd_anonymous_page exc_page_fault? __do_huge_pmd_anonymous_page asm_exc_page_fault __handle_mm_fault Cuando el irq local est\u00e1 habilitado al final de Accept_memory(), el bloqueo suave detecta que el mecanismo de vigilancia en una sola CPU no ha sido alimentado por un tiempo. Es decir, incluso otras CPU no ser\u00e1n bloqueadas por spinlock, la CPU actual podr\u00eda apestar con el irq local deshabilitado por un tiempo, lo que perjudica no solo al nmi watchdog sino tambi\u00e9n al softlockup. Chao Gao se\u00f1al\u00f3 que la aceptaci\u00f3n de la memoria podr\u00eda llevar mucho tiempo y hubo un informe similar antes. Por lo tanto, para evitar cualquier detecci\u00f3n de softlocup durante esta etapa, proporcione al softlockup una bandera para omitir la verificaci\u00f3n del tiempo de espera al final de Accept_memory(), invocando touch_softlockup_watchdog()."}], "lastModified": "2025-09-17T22:18:53.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AC54E1F-8CEA-4349-9973-283781371BE3", "versionEndExcluding": "6.6", "versionStartIncluding": "6.5.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "094BE690-D48C-430B-ACFE-4837AC2AEF1D", "versionEndExcluding": "6.6.55", "versionStartIncluding": "6.6.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A6B920C-8D8F-4130-86B4-AD334F4CF2E3", "versionEndExcluding": "6.8.10", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.6:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC5BD782-474C-4A68-AED7-6EC818FF89AE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A06B2CCF-3F43-4FA9-8773-C83C3F5764B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F850DCEC-E08B-4317-A33B-D2DCF39F601B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91326417-E981-482E-A5A3-28BC1327521B"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}