{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-57951", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-01-19T11:50:08.381Z", "datePublished": "2025-02-12T13:27:53.124Z", "dateUpdated": "2025-02-12T13:27:53.124Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-12T13:27:53.124Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhrtimers: Handle CPU state correctly on hotplug\n\nConsider a scenario where a CPU transitions from CPUHP_ONLINE to halfway\nthrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to\nCPUHP_ONLINE:\n\nSince hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set\nto 1 throughout. However, during a CPU unplug operation, the tick and the\nclockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online\nstate, for instance CFS incorrectly assumes that the hrtick is already\nactive, and the chance of the clockevent device to transition to oneshot\nmode is also lost forever for the CPU, unless it goes back to a lower state\nthan CPUHP_HRTIMERS_PREPARE once.\n\nThis round-trip reveals another issue; cpu_base.online is not set to 1\nafter the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().\n\nAside of that, the bulk of the per CPU state is not reset either, which\nmeans there are dangling pointers in the worst case.\n\nAddress this by adding a corresponding startup() callback, which resets the\nstale per CPU state and sets the online flag.\n\n[ tglx: Make the new callback unconditionally available, remove the online\n \tmodification in the prepare() callback and clear the remaining\n \tstate in the starting callback instead of the prepare callback ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/hrtimer.h", "kernel/cpu.c", "kernel/time/hrtimer.c"], "versions": [{"version": "54d0d83a53508d687fd4a225f8aa1f18559562d0", "lessThan": "95e4f62df23f4df1ce6ef897d44b8e23c260921a", "status": "affected", "versionType": "git"}, {"version": "7f4c89400d2997939f6971c7981cc780a219e36b", "lessThan": "14984139f1f2768883332965db566ef26db609e7", "status": "affected", "versionType": "git"}, {"version": "6fcbcc6c8e52650749692c7613cbe71bf601670d", "lessThan": "15b453db41d36184cf0ccc21e7df624014ab6a1a", "status": "affected", "versionType": "git"}, {"version": "75b5016ce325f1ef9c63e5398a1064cf8a7a7354", "lessThan": "3d41dbf82e10c44e53ea602398ab002baec27e75", "status": "affected", "versionType": "git"}, {"version": "53f408cad05bb987af860af22f4151e5a18e6ee8", "lessThan": "a5cbbea145b400e40540c34816d16d36e0374fbc", "status": "affected", "versionType": "git"}, {"version": "5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94", "lessThan": "38492f6ee883c7b1d33338bf531a62cff69b4b28", "status": "affected", "versionType": "git"}, {"version": "5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94", "lessThan": "2f8dea1692eef2b7ba6a256246ed82c365fdc686", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/linux/hrtimer.h", "kernel/cpu.c", "kernel/time/hrtimer.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.290", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.234", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.177", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.127", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.74", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.11", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a"}, {"url": "https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7"}, {"url": "https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a"}, {"url": "https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75"}, {"url": "https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc"}, {"url": "https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28"}, {"url": "https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686"}], "title": "hrtimers: Handle CPU state correctly on hotplug", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AB35967-8241-4BF5-B781-B331B439E208", "versionEndExcluding": "4.20", "versionStartIncluding": "4.19.302", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D484C596-D387-4551-B727-6BC0B030AA70", "versionEndExcluding": "5.4.290", "versionStartIncluding": "5.4.264", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "33F01B45-42CA-4B50-B3A4-7A67DB1A534B", "versionEndExcluding": "5.10.234", "versionStartIncluding": "5.10.204", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "477F2C85-CBB5-44FD-85D9-2AF8197641CB", "versionEndExcluding": "5.15.177", "versionStartIncluding": "5.15.143", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5FDA4DE-7749-464F-85A4-56CE4C6B7A15", "versionEndExcluding": "6.1.127", "versionStartIncluding": "6.1.68", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "823FCD43-4F73-4C5C-BDA7-21CE53729898", "versionEndExcluding": "6.6.74", "versionStartIncluding": "6.6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7D0DBC3-F63C-4396-8A47-6F3D4FA0556E", "versionEndExcluding": "6.12.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*", "matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhrtimers: Handle CPU state correctly on hotplug\n\nConsider a scenario where a CPU transitions from CPUHP_ONLINE to halfway\nthrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to\nCPUHP_ONLINE:\n\nSince hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set\nto 1 throughout. However, during a CPU unplug operation, the tick and the\nclockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online\nstate, for instance CFS incorrectly assumes that the hrtick is already\nactive, and the chance of the clockevent device to transition to oneshot\nmode is also lost forever for the CPU, unless it goes back to a lower state\nthan CPUHP_HRTIMERS_PREPARE once.\n\nThis round-trip reveals another issue; cpu_base.online is not set to 1\nafter the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().\n\nAside of that, the bulk of the per CPU state is not reset either, which\nmeans there are dangling pointers in the worst case.\n\nAddress this by adding a corresponding startup() callback, which resets the\nstale per CPU state and sets the online flag.\n\n[ tglx: Make the new callback unconditionally available, remove the online\n \tmodification in the prepare() callback and clear the remaining\n \tstate in the starting callback instead of the prepare callback ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hrtimers: Controlar el estado de la CPU correctamente en hotplug Considere un escenario donde una CPU pasa de CPUHP_ONLINE a la mitad de un hotunplug de CPU hasta CPUHP_HRTIMERS_PREPARE, y luego vuelve a CPUHP_ONLINE: Dado que hrtimers_prepare_cpu() no se ejecuta, cpu_base.hres_active permanece establecido en 1 durante todo el proceso. Sin embargo, durante una operaci\u00f3n de desconexi\u00f3n de la CPU, el tick y los clockevents se apagan en CPUHP_AP_TICK_DYING. Al volver al estado en l\u00ednea, por ejemplo, CFS supone incorrectamente que el hrtick ya est\u00e1 activo, y la posibilidad de que el dispositivo clockevent pase al modo one-shot tambi\u00e9n se pierde para siempre para la CPU, a menos que vuelva a un estado inferior a CPUHP_HRTIMERS_PREPARE una vez. Este viaje de ida y vuelta revela otro problema; cpu_base.online no se establece en 1 despu\u00e9s de la transici\u00f3n, lo que aparece como WARN_ON_ONCE en enqueue_hrtimer(). Aparte de eso, la mayor parte del estado por CPU tampoco se restablece, lo que significa que hay punteros inactivos en el peor de los casos. Resuelva esto agregando una devoluci\u00f3n de llamada startup() correspondiente, que restablece el estado obsoleto por CPU y establece el indicador en l\u00ednea. [ tglx: haga que la nueva devoluci\u00f3n de llamada est\u00e9 disponible incondicionalmente, elimine la modificaci\u00f3n en l\u00ednea en la devoluci\u00f3n de llamada prepare() y borre el estado restante en la devoluci\u00f3n de llamada de inicio en lugar de la devoluci\u00f3n de llamada de preparaci\u00f3n ]"}], "id": "CVE-2024-57951", "lastModified": "2025-02-14T15:57:18.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-12T14:15:31.403", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}