CVE-2024-56612

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/gup: handle NULL pages in unpin_user_pages()<br /> <br /> The recent addition of "pofs" (pages or folios) handling to gup has a<br /> flaw: it assumes that unpin_user_pages() handles NULL pages in the pages**<br /> array. That&amp;#39;s not the case, as I discovered when I ran on a new<br /> configuration on my test machine.<br /> <br /> Fix this by skipping NULL pages in unpin_user_pages(), just like<br /> unpin_folios() already does.<br /> <br /> Details: when booting on x86 with "numa=fake=2 movablecore=4G" on Linux<br /> 6.12, and running this:<br /> <br /> tools/testing/selftests/mm/gup_longterm<br /> <br /> ...I get the following crash:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000008<br /> RIP: 0010:sanity_check_pinned_pages+0x3a/0x2d0<br /> ...<br /> Call Trace:<br /> <br /> ? __die_body+0x66/0xb0<br /> ? page_fault_oops+0x30c/0x3b0<br /> ? do_user_addr_fault+0x6c3/0x720<br /> ? irqentry_enter+0x34/0x60<br /> ? exc_page_fault+0x68/0x100<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? sanity_check_pinned_pages+0x3a/0x2d0<br /> unpin_user_pages+0x24/0xe0<br /> check_and_migrate_movable_pages_or_folios+0x455/0x4b0<br /> __gup_longterm_locked+0x3bf/0x820<br /> ? mmap_read_lock_killable+0x12/0x50<br /> ? __pfx_mmap_read_lock_killable+0x10/0x10<br /> pin_user_pages+0x66/0xa0<br /> gup_test_ioctl+0x358/0xb20<br /> __se_sys_ioctl+0x6b/0xc0<br /> do_syscall_64+0x7b/0x150<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e