CVE-2024-47717
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's KVM subsystem for RISC-V allows a local attacker to crash the host kernel when a guest VM with SBI PMU snapshot enabled is forcefully powered off. This affects systems running Linux kernel with KVM virtualization on RISC-V architecture. The vulnerability can lead to denial of service on the host system.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Host kernel crash leading to complete system downtime and potential data loss for all VMs running on the host.
Likely Case
Host kernel panic when a guest VM with PMU snapshot enabled is terminated unexpectedly, causing temporary denial of service.
If Mitigated
No impact if the system is patched or if PMU snapshot feature is not enabled for guest VMs.
🎯 Exploit Status
Exploitation requires local access to the host system and ability to create/terminate guest VMs with PMU snapshot enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 6.11-rc4 and later, backported to stable branches
Vendor Advisory: https://git.kernel.org/stable/c/47d40d93292d9cff8dabb735bed83d930fa03950
Restart Required: Yes
Instructions:
1. Update Linux kernel to version 6.11-rc4 or later
2. Alternatively, apply the specific patch commits to your kernel version
3. Reboot the system to load the new kernel
🔧 Temporary Workarounds
Disable PMU snapshot for guest VMs
linuxPrevent guest VMs from using the SBI PMU snapshot feature which triggers the vulnerability
# Configure guest VMs to not use PMU snapshot feature
Avoid forceful guest termination
linuxUse proper shutdown procedures for guest VMs instead of forceful power-off
# Use 'virsh shutdown' or equivalent instead of 'virsh destroy'
🧯 If You Can't Patch
- Restrict local user access to KVM management tools
- Monitor for unexpected guest VM terminations and investigate root causes
🔍 How to Verify
Check if Vulnerable:
Check kernel version with 'uname -r' and verify if it's 6.11-rc3 or earlier. Also check if running on RISC-V architecture with 'uname -m'.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is 6.11-rc4 or later with 'uname -r'. Check that the specific commit fixing the issue is included in your kernel.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages mentioning 'kvm_pmu_clear_snapshot_area' or 'NULL pointer dereference' in kernel logs
- Guest VM termination events followed by host kernel crashes
Network Indicators:
- Sudden loss of connectivity to all VMs on a host
SIEM Query:
source="kernel" AND ("kvm_pmu_clear_snapshot_area" OR "NULL pointer dereference" OR "Oops [#1]")