CVE-2024-26598 - KVM: arm64: vgic-its: UAF vulnerability resolved in Linux kernel LPI translation cache

A recently resolved vulnerability in the Linux kernel has been identified as CVE-2024-26598. It is related to the KVM: arm64: vgic-its and specifically the "Avoid potential UAF in LPI translation cache" patch. In this post, we will discuss the exploit details, the code snippet that resolves the issue, and the links to the original references.

Background

Essentially, a potential use-after-free (UAF) scenario has been identified in the case of a Level-sensitive parallel interrupt (LPI) translation cache hit racing with an operation that invalidates the cache, such as a DISCARD Interrupt Translation Service (ITS) command. The core issue stems from the lack of reference count elevation on the vgic_irq before dropping the lock that serializes reference count changes.

Here's the code snippet that addresses the issue

static struct vgic_irq *vgic_its_check_cache(struct kvm *kvm, u64 itt_addr)
{
   ...
   spin_lock(&kvm->lock);
   lrc_entry = vgic_its_get_lrc_cache(kvm, &key);
   if (lrc_entry) {
      vgic_irq = lrc_entry->irq;
      vgic_get_irq(kvm, vgic_irq); // Raise the refcount on the returned vgic_irq
   }
   spin_unlock(&kvm->lock);
   ...
}

static void vgic_its_inject_lpi(struct kvm *kvm, struct kvm_vcpu *vcpu,
                                struct vgic_irq *irq)
{
   ...
   vgic_its_inject(vcpu, irq);

   vgic_put_irq(kvm, irq); // Corresponding decrement after queueing the interrupt
   ...
}

By adding the reference count increment (vgic_get_irq(kvm, vgic_irq);) and decrement (vgic_put_irq(kvm, irq);) lines in the appropriate locations, the vulnerability is resolved.

Exploit details

The exploit relies on racing an LPI translation cache hit with an operation that invalidates the cache, such as a DISCARD ITS command. The problematic situation arises because vgic_its_check_cache() does not increase the reference count on the vgic_irq before releasing the lock that handles reference count changes. This may result in use-after-free vulnerabilities that allow an attacker to gain unauthorized access or cause crashes.

References

1. Linux kernel mailing list patch - discussing the vulnerability and the patch applied to fix the issue.
2. Linux kernel source code – the official source code repository for the Linux kernel.

In conclusion, the CVE-2024-26598 vulnerability in the KVM: arm64: vgic-its pertaining to the LPI translation cache has been successfully addressed in the Linux kernel. The patch ensures that the reference count on the vgic_irq is properly increased and decreased, which prevents potential use-after-free scenarios and secures the system from unauthorized access or crashes.

Timeline

Published on: 02/23/2024 15:15:09 UTC
Last modified on: 04/17/2024 19:40:31 UTC