CVE-2024-36912 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl
In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues.
In order to make sure callers of vmbus_establish_gpadl() and vmbus_teardown_gpadl() don't return decrypted/shared pages to allocators, add a field in struct vmbus_gpadl to keep track of the decryption status of the buffers. This will allow the callers to know if they should free or leak the pages.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/02/2025
The vulnerability described in CVE-2024-36912 represents a critical security flaw within the Linux kernel's Hyper-V vmbus driver implementation that specifically affects CoCo (Confidential Computing) virtual machines. This issue stems from inadequate error handling in memory encryption status management during virtual machine communication with the hypervisor. The vulnerability occurs when the untrusted host component in confidential computing environments attempts to manipulate memory encryption states through set_memory_encrypted() or set_memory_decrypted() functions, which can fail and leave memory in an inconsistent state where the memory becomes shared but not properly encrypted or decrypted. This scenario creates a fundamental security risk as the memory management system could inadvertently return decrypted or shared pages to the page allocator, potentially exposing sensitive data or enabling privilege escalation attacks.
The technical root cause of this vulnerability lies in the insufficient tracking of memory encryption status within the vmbus_gpadl structure, which is used for managing guest physical address lists in Hyper-V virtualization environments. When vmbus_establish_gpadl() and vmbus_teardown_gpadl() functions are called, they fail to properly maintain awareness of whether the memory buffers have been successfully encrypted or decrypted. This lack of status tracking means that if the set_memory_encrypted() or set_memory_decrypted() operations return errors, the system cannot reliably determine the actual encryption state of memory pages. The vulnerability manifests when error conditions occur during memory management operations, particularly in confidential computing scenarios where memory encryption is critical for security. The failure to handle these error conditions properly results in a state where memory pages that should remain encrypted are instead returned to the allocator in a decrypted state, creating potential security exposure points.
The operational impact of this vulnerability extends beyond simple memory management issues and represents a significant threat to the security posture of confidential computing environments. When memory pages are improperly returned to the allocator in a decrypted state, it creates opportunities for information leakage and potential privilege escalation attacks. The vulnerability affects virtual machines running in CoCo environments where the host component cannot be trusted, making it particularly dangerous in cloud computing and multi-tenant environments. Attackers could potentially exploit this flaw to access sensitive data that should remain encrypted, or to manipulate memory in ways that could compromise the integrity of the virtual machine. The impact is especially severe because it undermines the fundamental security guarantees that confidential computing environments are designed to provide, potentially allowing attackers to bypass encryption mechanisms that are supposed to protect sensitive data.
The fix implemented addresses this vulnerability by introducing a dedicated field within the struct vmbus_gpadl structure to track the decryption status of memory buffers. This enhancement ensures that callers of vmbus_establish_gpadl() and vmbus_teardown_gpadl() functions can properly determine whether memory pages should be freed or leaked based on their actual encryption status. This approach aligns with security best practices for memory management in virtualized environments and follows the principle of least privilege by ensuring that memory management operations maintain proper state information. The solution prevents the accidental return of decrypted or shared memory pages to the page allocator, thereby maintaining the security boundaries that are essential for confidential computing. This change effectively closes the security gap by ensuring that error conditions in memory encryption operations are properly handled and that the system maintains accurate state information about memory encryption status throughout the lifecycle of virtual machine memory management operations.
This vulnerability classification aligns with CWE-391, which deals with Unchecked Error Condition, and relates to the broader category of memory safety issues in kernel space. From an ATT&CK perspective, this vulnerability could be leveraged for privilege escalation and information disclosure techniques, potentially enabling adversaries to move laterally within virtualized environments or access sensitive data that should remain protected. The fix demonstrates proper error handling practices and state management that are essential for maintaining security boundaries in virtualized computing environments. The mitigation approach taken by the kernel developers ensures that memory management operations maintain proper state consistency, which is critical for preventing information leakage and maintaining the security guarantees that confidential computing environments require. This vulnerability highlights the importance of robust error handling in kernel space operations, particularly in environments where memory encryption is a fundamental security control.