CVE-2024-47717: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data With the latest Linux-6.11-rc3, the below NULL pointer crash is observed when SBI PMU snapshot is enabled for the guest and the guest is forcefully powered-off. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508 Oops [#1] Modules linked in: kvm CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3 Hardware name: riscv-virtio,qemu (DT) epc : __kvm_write_guest_page+0x94/0xa6 [kvm] ra : __kvm_write_guest_page+0x54/0xa6 [kvm] epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0 gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000 t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0 s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086 a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0 a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000 s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000 s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001 s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3 t5 : ffffffff814126e0 t6 : ffffffff81412700 status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d [<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm] [<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm] [<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm] [<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm] [<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm] [<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm] [<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm] [<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm] [<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm] [<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm] [<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm] Clearly, the kvm_vcpu_write_guest() function is crashing because it is being called from kvm_pmu_clear_snapshot_area() upon guest tear down. To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because the guest is anyway being tore down. The kvm_pmu_clear_snapshot_area() is also called when guest changes PMU snapshot area of a VCPU but even in this case the previous PMU snaphsot area must not be zeroed-out because the guest might have reclaimed the pervious PMU snapshot area for some other purpose.
AI Analysis
Technical Summary
CVE-2024-47717 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's Kernel-based Virtual Machine (KVM) implementation. The issue arises from improper handling of the Performance Monitoring Unit (PMU) snapshot area during guest virtual machine teardown or when the guest changes the PMU snapshot area of a virtual CPU (VCPU). The vulnerability manifests as a NULL pointer dereference crash in the kernel, triggered when the PMU snapshot area is zeroed out before freeing the data. This leads to a kernel oops and crash due to dereferencing a NULL pointer at a specific virtual address during the execution of the kvm_vcpu_write_guest() function, which is called from kvm_pmu_clear_snapshot_area(). The root cause is that the PMU snapshot area is cleared (zeroed out) unnecessarily even though the guest VM is being destroyed or the snapshot area is being changed, which can cause the kernel to access invalid memory. The fix involves simplifying the kvm_pmu_clear_snapshot_area() function to avoid zeroing out the PMU snapshot area during guest teardown or snapshot area changes, as the guest may reuse the previous snapshot area for other purposes. This vulnerability affects Linux kernel versions around 6.11-rc3 and is specific to the RISC-V KVM implementation. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue is primarily a stability and denial-of-service (DoS) concern due to kernel crashes caused by NULL pointer dereferences in the hypervisor layer managing virtual machines on RISC-V platforms.
Potential Impact
For European organizations, the impact of CVE-2024-47717 is mainly related to service availability and operational stability in environments using Linux-based virtualization on RISC-V hardware. Organizations running RISC-V virtualized workloads with KVM could experience unexpected kernel crashes leading to guest VM shutdowns or host instability. This can disrupt critical services, especially in data centers, cloud providers, or research institutions experimenting with RISC-V architecture. Although the vulnerability does not appear to allow privilege escalation or direct data compromise, the denial-of-service effect can cause significant downtime and operational disruption. Given that RISC-V adoption is still emerging, the immediate impact is limited to early adopters and specialized deployments. However, as RISC-V gains traction in Europe for edge computing, IoT, and embedded systems, the risk of service interruptions due to this vulnerability will increase. The lack of known exploits reduces immediate threat but does not eliminate the risk of accidental crashes or targeted DoS attacks exploiting this flaw.
Mitigation Recommendations
European organizations should apply the following specific mitigations: 1) Update Linux kernels to versions that include the patch for CVE-2024-47717 as soon as they become available, particularly for systems running RISC-V KVM virtualization. 2) In the interim, avoid enabling the SBI PMU snapshot feature for guest VMs if possible, as this triggers the vulnerability. 3) Monitor kernel logs for NULL pointer dereference oops messages related to kvm_vcpu_write_guest or kvm_pmu_clear_snapshot_area to detect potential crashes. 4) Implement robust VM lifecycle management to ensure graceful shutdowns and avoid forceful power-offs of guest VMs using PMU snapshots. 5) For organizations developing or deploying RISC-V virtualization solutions, conduct thorough testing of guest teardown and PMU snapshot area management to detect instability. 6) Engage with Linux kernel maintainers and RISC-V communities to track patch releases and best practices for secure KVM usage on RISC-V. These mitigations go beyond generic advice by focusing on feature-specific configuration and kernel update prioritization relevant to this vulnerability.
Affected Countries
Germany, France, Netherlands, United Kingdom, Sweden, Finland
CVE-2024-47717: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data With the latest Linux-6.11-rc3, the below NULL pointer crash is observed when SBI PMU snapshot is enabled for the guest and the guest is forcefully powered-off. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508 Oops [#1] Modules linked in: kvm CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3 Hardware name: riscv-virtio,qemu (DT) epc : __kvm_write_guest_page+0x94/0xa6 [kvm] ra : __kvm_write_guest_page+0x54/0xa6 [kvm] epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0 gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000 t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0 s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086 a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0 a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000 s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000 s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001 s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3 t5 : ffffffff814126e0 t6 : ffffffff81412700 status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d [<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm] [<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm] [<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm] [<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm] [<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm] [<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm] [<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm] [<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm] [<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm] [<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm] [<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm] Clearly, the kvm_vcpu_write_guest() function is crashing because it is being called from kvm_pmu_clear_snapshot_area() upon guest tear down. To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because the guest is anyway being tore down. The kvm_pmu_clear_snapshot_area() is also called when guest changes PMU snapshot area of a VCPU but even in this case the previous PMU snaphsot area must not be zeroed-out because the guest might have reclaimed the pervious PMU snapshot area for some other purpose.
AI-Powered Analysis
Technical Analysis
CVE-2024-47717 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's Kernel-based Virtual Machine (KVM) implementation. The issue arises from improper handling of the Performance Monitoring Unit (PMU) snapshot area during guest virtual machine teardown or when the guest changes the PMU snapshot area of a virtual CPU (VCPU). The vulnerability manifests as a NULL pointer dereference crash in the kernel, triggered when the PMU snapshot area is zeroed out before freeing the data. This leads to a kernel oops and crash due to dereferencing a NULL pointer at a specific virtual address during the execution of the kvm_vcpu_write_guest() function, which is called from kvm_pmu_clear_snapshot_area(). The root cause is that the PMU snapshot area is cleared (zeroed out) unnecessarily even though the guest VM is being destroyed or the snapshot area is being changed, which can cause the kernel to access invalid memory. The fix involves simplifying the kvm_pmu_clear_snapshot_area() function to avoid zeroing out the PMU snapshot area during guest teardown or snapshot area changes, as the guest may reuse the previous snapshot area for other purposes. This vulnerability affects Linux kernel versions around 6.11-rc3 and is specific to the RISC-V KVM implementation. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet. The issue is primarily a stability and denial-of-service (DoS) concern due to kernel crashes caused by NULL pointer dereferences in the hypervisor layer managing virtual machines on RISC-V platforms.
Potential Impact
For European organizations, the impact of CVE-2024-47717 is mainly related to service availability and operational stability in environments using Linux-based virtualization on RISC-V hardware. Organizations running RISC-V virtualized workloads with KVM could experience unexpected kernel crashes leading to guest VM shutdowns or host instability. This can disrupt critical services, especially in data centers, cloud providers, or research institutions experimenting with RISC-V architecture. Although the vulnerability does not appear to allow privilege escalation or direct data compromise, the denial-of-service effect can cause significant downtime and operational disruption. Given that RISC-V adoption is still emerging, the immediate impact is limited to early adopters and specialized deployments. However, as RISC-V gains traction in Europe for edge computing, IoT, and embedded systems, the risk of service interruptions due to this vulnerability will increase. The lack of known exploits reduces immediate threat but does not eliminate the risk of accidental crashes or targeted DoS attacks exploiting this flaw.
Mitigation Recommendations
European organizations should apply the following specific mitigations: 1) Update Linux kernels to versions that include the patch for CVE-2024-47717 as soon as they become available, particularly for systems running RISC-V KVM virtualization. 2) In the interim, avoid enabling the SBI PMU snapshot feature for guest VMs if possible, as this triggers the vulnerability. 3) Monitor kernel logs for NULL pointer dereference oops messages related to kvm_vcpu_write_guest or kvm_pmu_clear_snapshot_area to detect potential crashes. 4) Implement robust VM lifecycle management to ensure graceful shutdowns and avoid forceful power-offs of guest VMs using PMU snapshots. 5) For organizations developing or deploying RISC-V virtualization solutions, conduct thorough testing of guest teardown and PMU snapshot area management to detect instability. 6) Engage with Linux kernel maintainers and RISC-V communities to track patch releases and best practices for secure KVM usage on RISC-V. These mitigations go beyond generic advice by focusing on feature-specific configuration and kernel update prioritization relevant to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.949Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe05a8
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:55:57 PM
Last updated: 8/5/2025, 6:37:25 AM
Views: 11
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.