Lucene search

K
cve416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2024-35877
HistoryMay 19, 2024 - 9:15 a.m.

CVE-2024-35877

2024-05-1909:15:08
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
29
linux kernel
x86/mm/pat
cow mappings
vm_pat handling
follow_phys()
untrack_pfn()
warning trigger

6.3 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.0%

In the Linux kernel, the following vulnerability has been resolved:

x86/mm/pat: fix VM_PAT handling in COW mappings

PAT handling won’t do the right thing in COW mappings: the first PTE (or,
in fact, all PTEs) can be replaced during write faults to point at anon
folios. Reliably recovering the correct PFN and cachemode using
follow_phys() from PTEs will not work in COW mappings.

Using follow_phys(), we might just get the address+protection of the anon
folio (which is very wrong), or fail on swap/nonswap entries, failing
follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and
track_pfn_copy(), not properly calling free_pfn_range().

In free_pfn_range(), we either wouldn’t call memtype_free() or would call
it with the wrong range, possibly leaking memory.

To fix that, let’s update follow_phys() to refuse returning anon folios,
and fallback to using the stored PFN inside vma->vm_pgoff for COW mappings
if we run into that.

We will now properly handle untrack_pfn() with COW mappings, where we
don’t need the cachemode. We’ll have to fail fork()->track_pfn_copy() if
the first page was replaced by an anon folio, though: we’d have to store
the cachemode in the VMA to make this work, likely growing the VMA size.

For now, lets keep it simple and let track_pfn_copy() just fail in that
case: it would have failed in the past with swap/nonswap entries already,
and it would have done the wrong thing with anon folios.

Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():

<— C reproducer —>
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <liburing.h>

int main(void)
{
struct io_uring_params p = {};
int ring_fd;
size_t size;
char *map;

     ring_fd = io_uring_setup(1, &p);
     if (ring_fd &lt; 0) {
             perror("io_uring_setup");
             return 1;
     }
     size = p.sq_off.array + p.sq_entries * sizeof(unsigned);

     /* Map the submission queue ring MAP_PRIVATE */
     map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
                ring_fd, IORING_OFF_SQ_RING);
     if (map == MAP_FAILED) {
             perror("mmap");
             return 1;
     }

     /* We have at least one page. Let's COW it. */
     *map = 0;
     pause();
     return 0;

}
<— C reproducer —>

On a system with 16 GiB RAM and swap configured:

./iouring &

memhog 16G

killall iouring

[ 301.552930] ------------[ cut here ]------------
[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100
[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g
[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1
[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4
[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100
[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000
[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282
[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047
[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200
[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000
[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000
[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000
[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000
[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0
[ 301.565725] PKRU: 55555554
[ 301.565944] Call Trace:
[ 301.566148] <TASK>
[ 301.566325] ? untrack_pfn+0xf4/0x100
[ 301.566618] ? __warn+0x81/0x130
[ 301.566876] ? untrack_pfn+0xf4/0x100
[ 3
—truncated—

Affected configurations

Vulners
Node
linuxlinux_kernelRange2.6.294.19.312
OR
linuxlinux_kernelRange4.20.05.4.274
OR
linuxlinux_kernelRange5.5.05.10.215
OR
linuxlinux_kernelRange5.11.05.15.155
OR
linuxlinux_kernelRange5.16.06.1.85
OR
linuxlinux_kernelRange6.2.06.6.26
OR
linuxlinux_kernelRange6.7.06.8.5
OR
linuxlinux_kernelRange6.9.0

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/mm/pat/memtype.c",
      "mm/memory.c"
    ],
    "versions": [
      {
        "version": "5899329b1910",
        "lessThan": "f18681daaec9",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5899329b1910",
        "lessThan": "09e6bb53217b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5899329b1910",
        "lessThan": "c2b2430b48f3",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5899329b1910",
        "lessThan": "7cfee26d1950",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5899329b1910",
        "lessThan": "97e93367e827",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5899329b1910",
        "lessThan": "51b7841f3fe8",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5899329b1910",
        "lessThan": "1341e4b32e1f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5899329b1910",
        "lessThan": "04c35ab3bdae",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "arch/x86/mm/pat/memtype.c",
      "mm/memory.c"
    ],
    "versions": [
      {
        "version": "2.6.29",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.29",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.312",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.274",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.215",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.155",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.85",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.26",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.5",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

6.3 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.0%