CVE-2024-47717 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data

With the latest Linux-6.11-rc3, the below NULL pointer crash is observed when SBI PMU snapshot is enabled for the guest and the guest is forcefully powered-off.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508 Oops [#1]
Modules linked in: kvm CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3 Hardware name: riscv-virtio,qemu (DT) epc : __kvm_write_guest_page+0x94/0xa6 [kvm]
ra : __kvm_write_guest_page+0x54/0xa6 [kvm]
epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0 gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000 t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0 s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086 a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0 a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000 s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000 s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001 s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3 t5 : ffffffff814126e0 t6 : ffffffff81412700 status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d [] __kvm_write_guest_page+0x94/0xa6 [kvm]
[] kvm_vcpu_write_guest+0x56/0x90 [kvm]
[] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]
[] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]
[] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]
[] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]
[] kvm_destroy_vcpus+0x5a/0xda [kvm]
[] kvm_arch_destroy_vm+0x14/0x28 [kvm]
[] kvm_destroy_vm+0x168/0x2a0 [kvm]
[] kvm_put_kvm+0x3c/0x58 [kvm]
[] kvm_vm_release+0x22/0x2e [kvm]

Clearly, the kvm_vcpu_write_guest() function is crashing because it is being called from kvm_pmu_clear_snapshot_area() upon guest tear down.

To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because the guest is anyway being tore down.

The kvm_pmu_clear_snapshot_area() is also called when guest changes PMU snapshot area of a VCPU but even in this case the previous PMU snaphsot area must not be zeroed-out because the guest might have reclaimed the pervious PMU snapshot area for some other purpose.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability described in CVE-2024-47717 affects the Linux kernel's RISC-V KVM implementation and represents a NULL pointer dereference occurring during virtual machine teardown operations. This issue manifests when SBI PMU snapshot functionality is enabled for a guest virtual machine and the guest is forcibly powered off. The crash occurs at virtual address 0000000000000508, indicating that the kernel attempted to access a NULL pointer during the cleanup process. The stack trace reveals the execution path leading to the failure through multiple kernel functions including __kvm_write_guest_page, kvm_vcpu_write_guest, and kvm_pmu_clear_snapshot_area, ultimately originating from kvm_arch_vcpu_destroy during the virtual machine destruction sequence. This vulnerability specifically impacts systems utilizing RISC-V architecture with KVM virtualization capabilities and demonstrates a critical flaw in the cleanup handling of PMU snapshot areas during guest termination.

The technical root cause stems from improper memory management during virtual CPU cleanup operations within the KVM subsystem. The kvm_pmu_clear_snapshot_area function attempts to zero out the PMU snapshot area before freeing associated data structures, but fails to account for the fact that the guest memory region may have already been deallocated or invalidated during the forced power-off scenario. This improper handling creates a situation where the kernel tries to write to a NULL pointer address, resulting in an immediate system crash. The vulnerability is classified as a memory safety issue and aligns with CWE-476 which describes NULL pointer dereference conditions in software systems. The flaw specifically occurs in the RISC-V architecture implementation of KVM virtualization, making it architecture-specific and requiring targeted fixes for the affected platform.

The operational impact of this vulnerability is significant as it can cause system crashes and potential data loss during normal virtual machine operations, particularly when guests are forcibly terminated. This affects virtualized environments running RISC-V based systems where PMU snapshot functionality is utilized, potentially leading to service disruptions and system instability. The vulnerability exposes a race condition or improper state management during virtual machine teardown processes, which could be exploited by malicious actors to cause denial of service conditions. According to ATT&CK framework, this vulnerability relates to privilege escalation and system stability compromise through kernel-level memory corruption, specifically targeting the KVM subsystem's virtual CPU management capabilities. Organizations running RISC-V virtualized environments must be particularly concerned about this issue as it can affect the reliability and availability of their virtualized infrastructure.

The fix implemented addresses the core issue by modifying the kvm_pmu_clear_snapshot_area function to avoid zeroing out the PMU snapshot area during cleanup operations. This approach recognizes that when a guest is being torn down, the memory regions are already being freed and the zeroing operation becomes unnecessary and potentially harmful. The solution also acknowledges that even in normal operation where PMU snapshot areas are changed, the previous areas should not be zeroed out since the guest may have reclaimed those memory regions for different purposes. This fix aligns with secure coding practices by eliminating unnecessary memory operations during cleanup and preventing potential NULL pointer dereferences. The resolution effectively prevents the crash scenario by ensuring that cleanup operations do not attempt to access invalid memory addresses, thereby maintaining system stability during virtual machine lifecycle management operations.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00214

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!