CVE-2024-50072 in Linux
Summary
by MITRE • 10/29/2024
In the Linux kernel, the following vulnerability has been resolved:
x86/bugs: Use code segment selector for VERW operand
Robert Gill reported below #GP in 32-bit mode when dosemu software was executing vm86() system call:
general protection fault: 0000 [#1] PREEMPT SMP
CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1 Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010 EIP: restore_all_switch_stack+0xbe/0xcf EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000 ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046 CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0 Call Trace: show_regs+0x70/0x78 die_addr+0x29/0x70 exc_general_protection+0x13c/0x348 exc_bounds+0x98/0x98 handle_exception+0x14d/0x14d exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf exc_bounds+0x98/0x98 restore_all_switch_stack+0xbe/0xcf
This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS are enabled. This is because segment registers with an arbitrary user value can result in #GP when executing VERW. Intel SDM vol. 2C documents the following behavior for VERW instruction:
#GP(0) - If a memory operand effective address is outside the CS, DS, ES, FS, or GS segment limit.
CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user space. Use %cs selector to reference VERW operand. This ensures VERW will not #GP for an arbitrary user %ds.
[ mingo: Fixed the SOB chain. ]
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/21/2025
The vulnerability described in CVE-2024-50072 represents a critical flaw in the Linux kernel's x86 architecture implementation that specifically affects 32-bit mode execution. This issue manifests as a general protection fault when the dosemu software attempts to execute the vm86() system call, indicating a fundamental problem in how the kernel handles segment register validation during CPU buffer clearing operations. The flaw occurs within the context of microcode-level mitigations for speculative execution vulnerabilities such as Microarchitectural Data Sampling MDS and Retpoline Flush Data Store RFDS, which are designed to protect against side-channel attacks by clearing CPU buffers before returning to user space.
The technical root cause lies in the improper handling of the VERW (Verify Write) instruction within the CLEAR_CPU_BUFFERS macro implementation. When executing in 32-bit mode with these mitigations enabled, the kernel attempts to use arbitrary user-provided segment register values as operands for the VERW instruction. According to Intel Software Developer Manual Volume 2C, the VERW instruction generates a general protection fault when the memory operand effective address falls outside the valid segment limits of CS, DS, ES, FS, or GS segments. This behavior creates a scenario where user-controlled data can trigger unexpected faults, effectively creating a potential denial-of-service condition or privilege escalation vector.
The operational impact of this vulnerability extends beyond simple system instability, as it directly affects the reliability of virtualization environments and legacy software execution. The specific execution path leading to the fault involves the restore_all_switch_stack function and subsequent exception handling mechanisms, indicating that this flaw impacts the kernel's ability to properly transition between kernel and user space contexts. The vulnerability is particularly concerning because it requires specific conditions to manifest - namely 32-bit mode execution with MDS/RFDS mitigations enabled - but once triggered, it can compromise system stability and potentially provide attackers with opportunities to exploit the fault handling mechanisms.
This vulnerability aligns with CWE-119: Improper Access to Memory and CWE-248: Uncaught Exception categories, while also demonstrating characteristics of ATT&CK technique T1068: Exploitation for Privilege Escalation through improper handling of system-level exceptions. The fix implemented by the kernel developers addresses the core issue by explicitly using the code segment selector (%cs) when executing the VERW operand, ensuring that the instruction will not generate general protection faults due to arbitrary user values in the data segment register. This mitigation approach directly addresses the fundamental flaw in segment register validation while maintaining the intended security benefits of CPU buffer clearing operations.
The broader implications of this vulnerability highlight the complexity of implementing security mitigations in kernel space, where seemingly minor implementation details can create significant stability and security issues. The fix demonstrates the importance of proper segment register handling in low-level system operations and reinforces the need for thorough testing of security mitigations in various execution contexts. This vulnerability serves as a reminder of the delicate balance between providing robust security protections and maintaining system stability, particularly in virtualized environments where legacy software compatibility is essential. The resolution ensures that CPU buffer clearing operations can proceed reliably without being disrupted by user-space data that might inadvertently trigger system-level exceptions during the critical transition points between kernel and user execution contexts.