CVE - CVE-2024-50275

CVE-ID
CVE-2024-50275	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: arm64/sve: Discard stale CPU state when handling SVE traps The logic for handling SVE traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SVE traps enabled). This has been observed to result in warnings from do_sve_acc() where SVE traps are not expected while TIF_SVE is set: \| if (test_and_set_thread_flag(TIF_SVE)) \| WARN_ON(1); /* SVE access shouldn't have trapped / Warnings of this form have been reported intermittently, e.g. https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/ https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/ The race can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU, e.g. \| void do_sve_acc(unsigned long esr, struct pt_regs regs) \| { \| // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled \| // task->fpsimd_cpu is 0. \| // per_cpu_ptr(&fpsimd_last_state, 0) is task. \| \| ... \| \| // Preempted; migrated from CPU 0 to CPU 1. \| // TIF_FOREIGN_FPSTATE is set. \| \| get_cpu_fpsimd_context(); \| \| if (test_and_set_thread_flag(TIF_SVE)) \| WARN_ON(1); /* SVE access shouldn't have trapped */ \| \| sve_init_regs() { \| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { \| ... \| } else { \| fpsimd_to_sve(current); \| current->thread.fp_type = FP_STATE_SVE; \| } \| } \| \| put_cpu_fpsimd_context(); \| \| // Preempted; migrated from CPU 1 to CPU 0. \| // task->fpsimd_cpu is still 0 \| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: \| // - Stale HW state is reused (with SVE traps enabled) \| // - TIF_FOREIGN_FPSTATE is cleared \| // - A return to userspace skips HW state restore \| } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/51d11ea0250d6ee461987403bbfd4b2abb5613a7 URL:https://git.kernel.org/stable/c/51d11ea0250d6ee461987403bbfd4b2abb5613a7 MISC:https://git.kernel.org/stable/c/751ecf6afd6568adc98f2a6052315552c0483d18 URL:https://git.kernel.org/stable/c/751ecf6afd6568adc98f2a6052315552c0483d18 MISC:https://git.kernel.org/stable/c/fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9 URL:https://git.kernel.org/stable/c/fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9
Assigning CNA
kernel.org
Date Record Created
20241021	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20241021)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)