CVE-2024-35804 Affecting kernel-modules-extra-common package, versions <0:6.1.84-99.169.amzn2023


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-KERNELMODULESEXTRACOMMON-7984460
  • published17 Sept 2024
  • disclosed17 May 2024

Introduced: 17 May 2024

CVE-2024-35804  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 kernel-modules-extra-common to version 0:6.1.84-99.169.amzn2023 or higher.
This issue was patched in ALAS2023-2024-696.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-modules-extra-common package and not the kernel-modules-extra-common package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Mark target gfn of emulated atomic instruction as dirty

When emulating an atomic access on behalf of the guest, mark the target gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This fixes a bug where KVM effectively corrupts guest memory during live migration by writing to guest memory without informing userspace that the page is dirty.

Marking the page dirty got unintentionally dropped when KVM's emulated CMPXCHG was converted to do a user access. Before that, KVM explicitly mapped the guest page into kernel memory, and marked the page dirty during the unmap phase.

Mark the page dirty even if the CMPXCHG fails, as the old data is written back on failure, i.e. the page is still written. The value written is guaranteed to be the same because the operation is atomic, but KVM's ABI is that all writes are dirty logged regardless of the value written. And more importantly, that's what KVM did before the buggy commit.

Huge kudos to the folks on the Cc list (and many others), who did all the actual work of triaging and debugging.

base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64

CVSS Scores

version 3.1