Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-50182

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/11/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> secretmem: disable memfd_secret() if arch cannot set direct map<br /> <br /> Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This<br /> is the case for example on some arm64 configurations, where marking 4k<br /> PTEs in the direct map not present can only be done if the direct map is<br /> set up at 4k granularity in the first place (as ARM&amp;#39;s break-before-make<br /> semantics do not easily allow breaking apart large/gigantic pages).<br /> <br /> More precisely, on arm64 systems with !can_set_direct_map(),<br /> set_direct_map_invalid_noflush() is a no-op, however it returns success<br /> (0) instead of an error. This means that memfd_secret will seemingly<br /> "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages),<br /> but it does not actually achieve its goal of removing its memory from the<br /> direct map.<br /> <br /> Note that with this patch, memfd_secret() will start erroring on systems<br /> where can_set_direct_map() returns false (arm64 with<br /> CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and<br /> CONFIG_KFENCE=n), but that still seems better than the current silent<br /> failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to &amp;#39;y&amp;#39;, most<br /> arm64 systems actually have a working memfd_secret() and aren&amp;#39;t be<br /> affected.<br /> <br /> From going through the iterations of the original memfd_secret patch<br /> series, it seems that disabling the syscall in these scenarios was the<br /> intended behavior [1] (preferred over having<br /> set_direct_map_invalid_noflush return an error as that would result in<br /> SIGBUSes at page-fault time), however the check for it got dropped between<br /> v16 [2] and v17 [3], when secretmem moved away from CMA allocations.<br /> <br /> [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/<br /> [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t<br /> [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.14 (including) 5.15.169 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.113 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.57 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.4 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools