CVE-2024-35804 in Linux
Summary
by MITRE • 05/17/2024
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Mark target gfn of emulated atomic instruction as dirty
When emulating an atomic access on behalf of the guest, mark the target gfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This fixes a bug where KVM effectively corrupts guest memory during live migration by writing to guest memory without informing userspace that the page is dirty.
Marking the page dirty got unintentionally dropped when KVM's emulated CMPXCHG was converted to do a user access. Before that, KVM explicitly mapped the guest page into kernel memory, and marked the page dirty during the unmap phase.
Mark the page dirty even if the CMPXCHG fails, as the old data is written back on failure, i.e. the page is still written. The value written is guaranteed to be the same because the operation is atomic, but KVM's ABI is that all writes are dirty logged regardless of the value written. And more importantly, that's what KVM did before the buggy commit.
Huge kudos to the folks on the Cc list (and many others), who did all the actual work of triaging and debugging.
base-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/21/2025
This vulnerability exists within the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting x86 virtualization implementations. The issue stems from improper memory management during the emulation of atomic instructions, particularly CMPXCHG operations, which are fundamental to concurrent programming and memory synchronization. When KVM emulates atomic memory operations on behalf of virtual machines, it must maintain accurate tracking of memory modifications to ensure proper virtual machine state management and migration capabilities. The vulnerability represents a critical flaw in the dirty page tracking mechanism that governs how KVM monitors memory changes for migration purposes.
The technical flaw manifests when KVM attempts to emulate a CMPXCHG instruction, an atomic compare-and-exchange operation that modifies memory conditionally. During live migration scenarios, KVM must accurately mark guest memory pages as "dirty" to ensure proper state synchronization between source and destination hosts. The bug occurred during a code refactoring where KVM's CMPXCHG emulation was converted to use user access patterns instead of direct kernel memory mapping. This conversion inadvertently removed the explicit dirty page marking logic that was previously handled during the page unmapping phase, creating a gap in memory tracking that leads to inconsistent virtual machine state management.
The operational impact of this vulnerability is severe for live migration operations and virtual machine management systems. When a virtual machine undergoes live migration, KVM must ensure all modified memory pages are properly synchronized between the source and destination hosts. Without proper dirty page tracking, KVM can corrupt guest memory by writing to pages without informing userspace of the modifications, leading to data inconsistencies and potential system instability. This affects not only the immediate migration process but also the broader virtualization infrastructure, as dirty logging is fundamental to memory management and checkpointing mechanisms. The vulnerability essentially breaks the expected KVM ABI (Application Binary Interface) contract where all writes should be marked as dirty regardless of whether the operation succeeds or fails.
The fix addresses this by reinstating the dirty page marking logic for all CMPXCHG operations, ensuring that pages are marked dirty even when the atomic operation fails. This approach aligns with the pre-bug behavior and maintains consistency with KVM's memory tracking requirements. The solution recognizes that even though the CMPXCHG operation may fail and write back the original value, the page was still modified during the operation, requiring dirty logging for proper virtual machine state management. This fix directly relates to CWE-119 Improper Access to Memory Location and ATT&CK technique T1484.001 Domain Accounts: Active Directory Domain Controller, though more specifically it impacts virtualization security through memory corruption and migration integrity issues. The vulnerability demonstrates how seemingly minor code refactoring can introduce critical security implications in virtualization environments, emphasizing the importance of maintaining proper memory access patterns and tracking mechanisms in hypervisor implementations. The resolution restores proper dirty page tracking behavior that was inadvertently removed during the migration from direct kernel memory mapping to user access patterns, ensuring that virtual machine migration operations maintain data integrity and consistent state synchronization.