CVE-2024-57945

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: mm: Fix the out of bound issue of vmemmap address<br /> <br /> In sparse vmemmap model, the virtual address of vmemmap is calculated as:<br /> ((struct page *)VMEMMAP_START - (phys_ram_base &gt;&gt; PAGE_SHIFT)).<br /> And the struct page&amp;#39;s va can be calculated with an offset:<br /> (vmemmap + (pfn)).<br /> <br /> However, when initializing struct pages, kernel actually starts from the<br /> first page from the same section that phys_ram_base belongs to. If the<br /> first page&amp;#39;s physical address is not (phys_ram_base &gt;&gt; PAGE_SHIFT), then<br /> we get an va below VMEMMAP_START when calculating va for it&amp;#39;s struct page.<br /> <br /> For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the<br /> first page in the same section is actually pfn 0x80000. During<br /> init_unavailable_range(), we will initialize struct page for pfn 0x80000<br /> with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is<br /> below VMEMMAP_START as well as PCI_IO_END.<br /> <br /> This commit fixes this bug by introducing a new variable<br /> &amp;#39;vmemmap_start_pfn&amp;#39; which is aligned with memory section size and using<br /> it to calculate vmemmap address instead of phys_ram_base.