CVE-2024-57949: Linux Kernel Vulnerability in irqchip/gic-v3-its Fixed

A vulnerability was discovered in the Linux kernel, specifically in the irqchip/gic-v3-its component. This issue could potentially enable malicious actors to exploit the enabled interrupts in a nested interrupt-disabled section. Thankfully, the vulnerability has been resolved, and this post will detail the exploit, code snippets, and original references to help you better understand the issue and its solution.

Exploit Details

The vulnerability in the Linux kernel occurs due to enabling interrupts in the its_irq_set_vcpu_affinity() function. The following call-chain leads to enabling interrupts in a nested interrupt-disabled section:

irq_set_vcpu_affinity()
  irq_get_desc_lock()
     raw_spin_lock_irqsave()   <--- Disable interrupts
  its_irq_set_vcpu_affinity()
     guard(raw_spinlock_irq)   <--- Enables interrupts when leaving the guard()
  irq_put_desc_unlock()        <--- Warns because interrupts are enabled

This issue was introduced in commit b97e8a2f713, which replaced the original raw_spin_[un]lock() pair with guard(raw_spinlock_irq).

Solution

To fix this vulnerability, the use of guard(raw_spinlock_irq) has been replaced with guard(raw_spinlock) in the its_irq_set_vcpu_affinity() function. This change ensures that interrupts remain disabled, resolving the issue.

The fixed code snippet looks like this

irq_set_vcpu_affinity()
  irq_get_desc_lock()
     raw_spin_lock_irqsave()   <--- Disable interrupts
  its_irq_set_vcpu_affinity()
     guard(raw_spinlock)       <--- Keep interrupts disabled
  irq_put_desc_unlock()        <--- No warning because interrupts remain disabled

Original References

1. Linux kernel patch submission: irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity()
2. The commit which introduced the issue: b97e8a2f713

Conclusion

The CVE-2024-57949 vulnerability found in the Linux kernel's irqchip/gic-v3-its component has been successfully resolved. By replacing the guard(raw_spinlock_irq) usage with guard(raw_spinlock) in the its_irq_set_vcpu_affinity() function, the interrupts remain disabled as needed, thus preventing potential exploitation. Developers and system administrators are encouraged to update their Linux kernels to ensure they have this fix in place.

Timeline

Published on: 02/09/2025 12:15:28 UTC
Last modified on: 02/11/2025 16:06:53 UTC