CVE-2024-42240: x86/bhi: Avoid warning in #DB handler due to BHI mitigation
In the Linux kernel, the following vulnerability has been resolved:
x86/bhi: Avoid warning in #DB handler due to BHI mitigation
When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
(exc_debug_kernel()) to issue a warning because single-step is used outside the
entry_SYSENTER_compat() function.
To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
after making sure the TF flag is cleared.
The problem can be reproduced with the following sequence:
$ cat sysenter_step.c
int main()
{ asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }
$ gcc -o sysenter_step sysenter_step.c
$ ./sysenter_step
Segmentation fault (core dumped)
The program is expected to crash, and the #DB handler will issue a warning.
Kernel log:
WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
...
RIP: 0010:exc_debug_kernel+0xd2/0x160
...
Call Trace:
<#DB>
? show_regs+0x68/0x80
? __warn+0x8c/0x140
? exc_debug_kernel+0xd2/0x160
? report_bug+0x175/0x1a0
? handle_bug+0x44/0x90
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? exc_debug_kernel+0xd2/0x160
exc_debug+0x43/0x50
asm_exc_debug+0x1e/0x40
RIP: 0010:clear_bhb_loop+0x0/0xb0
...
</#DB>
<TASK>
? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
</TASK>
[ bp: Massage commit message. ]
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can cause a kernel warning when a specific x86 compatibility-system-call path interacts with BHI mitigation. The public record describes a warning, not data theft or remote compromise. Business urgency is mainly patch hygiene for exposed Linux fleets, especially where kernel warning policies could affect availability or monitoring noise.
Executive priority
Treat as a routine-to-moderate Linux kernel update unless your environment turns kernel warnings into service disruption. No cited source supports emergency response for active exploitation, but kernel maintenance should remain timely.
Technical view
On x86, entry_SYSENTER_compat() invoked with the trap flag set could run CLEAR_BRANCH_HISTORY before clearing TF. With BHI mitigation enabled, clear_bhb_loop() could be single-stepped, causing exc_debug_kernel() to warn. The fix reorders branch-history clearing until after TF is cleared.
Likely exposure
Exposure appears limited to affected Linux kernel versions on x86 systems using the relevant SYSENTER compatibility path with BHI mitigation enabled. The bundle lists Linux as affected, but downstream distro package status must be verified from vendor advisories.
Exploitation context
The source bundle provides a local reproduction scenario that triggers a warning. It does not cite active exploitation, KEV listing, remote attackability, privilege escalation, or a public weaponized exploit. KEV is false in the provided data.
Researcher notes
The important behavior is ordering in entry_SYSENTER_compat(): CLEAR_BRANCH_HISTORY must occur after TF is cleared. Public evidence describes a warning path, not confirmed privilege impact. Affected-version data in the bundle is incomplete for downstream packages.
Mitigation direction
Update affected Linux kernels to vendor-fixed builds containing the referenced stable commits.
Check Debian LTS and other distribution advisories for exact package versions.
Prioritize systems where kernel WARN conditions affect uptime or alerting.
Avoid direct wrangler or deployment relevance; this is an OS kernel maintenance item.
Validation and detection
Inventory Linux kernel versions across x86 hosts and compare with vendor advisories.
Confirm whether BHI mitigation is enabled on affected kernel lines.
Review kernel logs for related #DB or exc_debug_kernel warnings.
Verify installed kernel packages include the referenced stable fixes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-42240 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.