CVE-2024-31076: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
In the Linux kernel, the following vulnerability has been resolved:
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
The absence of IRQDMOVEPCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next instance of the interrupt being triggered on the original CPU.
When the interrupt next triggers on the original CPU, the new affinity is enforced within irqmoveirq(). A vector is allocated from the new CPU, but the old vector on the original CPU remains and is not immediately reclaimed. Instead, apicd->moveinprogress is flagged, and the reclaiming process is delayed until the next trigger of the interrupt on the new CPU.
Upon the subsequent triggering of the interrupt on the new CPU, irqcompletemove() adds a task to the old CPU's vectorcleanup list if it remains online. Subsequently, the timer on the old CPU iterates over its vectorcleanup list, reclaiming old vectors.
However, a rare scenario arises if the old CPU is outgoing before the interrupt triggers again on the new CPU.
In that case irqforcecompletemove() is not invoked on the outgoing CPU to reclaim the old apicd->prevvector because the interrupt isn't currently affine to the outgoing CPU, and irqneedsfixup() returns false. Even though vectorschedulecleanup() is later called on the new CPU, it doesn't reclaim apicd->prevvector; instead, it simply resets both apicd->moveinprogress and apicd->prevvector to 0.
As a result, the vector remains unreclaimed in vectormatrix, leading to a CPU vector leak.
To address this issue, move the invocation of irqforcecompletemove() before the irqneedsfixup() call to reclaim apicd->prevvector, if the interrupt is currently or used to be affine to the outgoing CPU.
Additionally, reclaim the vector in vectorschedulecleanup() as well, following a warning message, although theoretically it should never see apicd->moveinprogress with apicd->prevcpu pointing to an offline CPU.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
The Linux kernel CVE team has assigned CVE-2024-31076 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024062134-CVE-2024-31076-786e@gregkh/T
— Red Hat
Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a vector leak during CPU offline. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-31076?
CVE-2024-31076 is classified as having medium severity due to its potential impact on CPU offline operations in the Linux kernel.
How do I fix CVE-2024-31076?
To fix CVE-2024-31076, update your Linux kernel to versions 4.19.316, 5.4.278, 5.10.219, 5.15.161, 6.1.93, 6.6.33, 6.9.4, or 6.10.
What systems are affected by CVE-2024-31076?
CVE-2024-31076 affects various Linux kernel versions across Red Hat and Debian distributions.
What could happen if CVE-2024-31076 is exploited?
Exploitation of CVE-2024-31076 could lead to incorrect interrupt affinity management during CPU offline operations, potentially causing instability.
Is CVE-2024-31076 related to other vulnerabilities?
CVE-2024-31076 is part of broader issues with interrupt management in the Linux kernel, which should be monitored for related vulnerabilities.