CVE-2024-27022
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2024
Last modified:
04/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
fork: defer linking file vma until vma is fully initialized<br />
<br />
Thorvald reported a WARNING [1]. And the root cause is below race:<br />
<br />
CPU 1 CPU 2<br />
fork hugetlbfs_fallocate<br />
dup_mmap hugetlbfs_punch_hole<br />
i_mmap_lock_write(mapping);<br />
vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.<br />
i_mmap_unlock_write(mapping);<br />
hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!<br />
i_mmap_lock_write(mapping);<br />
hugetlb_vmdelete_list<br />
vma_interval_tree_foreach<br />
hugetlb_vma_trylock_write -- Vma_lock is cleared.<br />
tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!<br />
hugetlb_vma_unlock_write -- Vma_lock is assigned!!!<br />
i_mmap_unlock_write(mapping);<br />
<br />
hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside<br />
i_mmap_rwsem lock while vma lock can be used in the same time. Fix this<br />
by deferring linking file vma until vma is fully initialized. Those vmas<br />
should be initialized first before they can be used.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1 (including) | 6.1.90 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.30 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.8.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19
- https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34
- https://git.kernel.org/stable/c/04b0c41912349aff11a1bbaef6a722bd7fbb90ac
- https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557
- https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19
- https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34
- https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf
- https://git.kernel.org/stable/c/dd782da470761077f4d1120e191f1a35787cda6e
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/