{
  "threat_severity" : "Moderate",
  "public_date" : "2024-11-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: arm64/sve: Discard stale CPU state when handling SVE traps",
    "id" : "2327198",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2327198"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-99",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\narm64/sve: Discard stale CPU state when handling SVE traps\nThe logic for handling SVE traps manipulates saved FPSIMD/SVE state\nincorrectly, and a race with preemption can result in a task having\nTIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state\nis stale (e.g. with SVE traps enabled). This has been observed to result\nin warnings from do_sve_acc() where SVE traps are not expected while\nTIF_SVE is set:\n|         if (test_and_set_thread_flag(TIF_SVE))\n|                 WARN_ON(1); /* SVE access shouldn't have trapped */\nWarnings of this form have been reported intermittently, e.g.\nhttps://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/\nhttps://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/\nThe race can occur when the SVE trap handler is preempted before and\nafter manipulating the saved FPSIMD/SVE state, starting and ending on\nthe same CPU, e.g.\n| void do_sve_acc(unsigned long esr, struct pt_regs *regs)\n| {\n|         // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled\n|         // task->fpsimd_cpu is 0.\n|         // per_cpu_ptr(&fpsimd_last_state, 0) is task.\n|\n|         ...\n|\n|         // Preempted; migrated from CPU 0 to CPU 1.\n|         // TIF_FOREIGN_FPSTATE is set.\n|\n|         get_cpu_fpsimd_context();\n|\n|         if (test_and_set_thread_flag(TIF_SVE))\n|                 WARN_ON(1); /* SVE access shouldn't have trapped */\n|\n|         sve_init_regs() {\n|                 if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {\n|                         ...\n|                 } else {\n|                         fpsimd_to_sve(current);\n|                         current->thread.fp_type = FP_STATE_SVE;\n|                 }\n|         }\n|\n|         put_cpu_fpsimd_context();\n|\n|         // Preempted; migrated from CPU 1 to CPU 0.\n|         // task->fpsimd_cpu is still 0\n|         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:\n|         // - Stale HW state is reused (with SVE traps enabled)\n|         // - TIF_FOREIGN_FPSTATE is cleared\n|         // - A return to userspace skips HW state restore\n| }\nFix the case where the state is not live and TIF_FOREIGN_FPSTATE is set\nby calling fpsimd_flush_task_state() to detach from the saved CPU\nstate. This ensures that a subsequent context switch will not reuse the\nstale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the\nnew state to be reloaded from memory prior to a return to userspace." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-02-05T00:00:00Z",
    "advisory" : "RHSA-2025:1067",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.37.1.rt7.378.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-02-05T00:00:00Z",
    "advisory" : "RHSA-2025:1068",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.37.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2025-03-10T00:00:00Z",
    "advisory" : "RHSA-2025:2525",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.93.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-01-22T00:00:00Z",
    "advisory" : "RHSA-2025:0578",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.22.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-01-22T00:00:00Z",
    "advisory" : "RHSA-2025:0578",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.22.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-02-19T00:00:00Z",
    "advisory" : "RHSA-2025:1658",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.55.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50275\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50275\nhttps://lore.kernel.org/linux-cve-announce/2024111934-CVE-2024-50275-2e49@gregkh/T" ],
  "name" : "CVE-2024-50275",
  "csaw" : false
}