In the Linux kernel, the following vulnerability has been resolved:
KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
Use {READ,WRITE}_ONCE() to access kvm->last_boosted_vcpu to ensure the
loads and stores are atomic. In the extremely unlikely scenario the
compiler tears the stores, it's theoretically possible for KVM to attempt
to get a vCPU using an out-of-bounds index, e.g. if the write is split
into multiple 8-bit stores, and is paired with a 32-bit load on a VM with
257 vCPUs:
CPU0 CPU1
last_boosted_vcpu = 0xff;
(last_boosted_vcpu = 0x100)
last_boosted_vcpu[15:8] = 0x01;
i = (last_boosted_vcpu = 0x1ff)
last_boosted_vcpu[7:0] = 0x00;
vcpu = kvm->vcpu_array[0x1ff];
As detected by KCSAN:
BUG: KCSAN: data-race in kvm_vcpu_on_spin [kvm] / kvm_vcpu_on_spin [kvm]
write to 0xffffc90025a92344 of 4 bytes by task 4340 on cpu 16:
kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4112) kvm
handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
__x64_sys_ioctl (fs/ioctl.c:890)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
read to 0xffffc90025a92344 of 4 bytes by task 4342 on cpu 4:
kvm_vcpu_on_spin (arch/x86/kvm/../../../virt/kvm/kvm_main.c:4069) kvm
handle_pause (arch/x86/kvm/vmx/vmx.c:5929) kvm_intel
vmx_handle_exit (arch/x86/kvm/vmx/vmx.c:?
arch/x86/kvm/vmx/vmx.c:6606) kvm_intel
vcpu_run (arch/x86/kvm/x86.c:11107 arch/x86/kvm/x86.c:11211) kvm
kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:?) kvm
kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:?) kvm
__se_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:904 fs/ioctl.c:890)
__x64_sys_ioctl (fs/ioctl.c:890)
x64_sys_call (arch/x86/entry/syscall_64.c:33)
do_syscall_64 (arch/x86/entry/common.c:?)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
value changed: 0x00000012 -> 0x00000000
References
Configurations
Configuration 1 (hide)
|
History
17 Sep 2025, 15:02
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.7 |
| First Time |
Linux
Linux linux Kernel |
|
| CWE | CWE-362 | |
| CPE | cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* |
|
| References | () https://git.kernel.org/stable/c/11a772d5376aa6d3e2e69b5b5c585f79b60c0e17 - Patch | |
| References | () https://git.kernel.org/stable/c/49f683b41f28918df3e51ddc0d928cb2e934ccdb - Patch | |
| References | () https://git.kernel.org/stable/c/4c141136a28421b78f34969b25a4fa32e06e2180 - Patch | |
| References | () https://git.kernel.org/stable/c/71fbc3af3dacb26c3aa2f30bb3ab05c44d082c84 - Patch | |
| References | () https://git.kernel.org/stable/c/82bd728a06e55f5b5f93d10ce67f4fe7e689853a - Patch | |
| References | () https://git.kernel.org/stable/c/92c77807d938145c7c3350c944ef9f39d7f6017c - Patch | |
| References | () https://git.kernel.org/stable/c/95c8dd79f3a14df96b3820b35b8399bd91b2be60 - Patch | |
| References | () https://git.kernel.org/stable/c/a937ef951bba72f48d2402451419d725d70dba20 - Patch |
Information
Published : 2024-07-12 13:15
Updated : 2025-09-17 15:02
NVD link : CVE-2024-40953
Mitre link : CVE-2024-40953
CVE.ORG link : CVE-2024-40953
JSON object : View
Products Affected
linux
- linux_kernel
CWE
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')