Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-40914

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
12/07/2024
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/huge_memory: don&amp;#39;t unpoison huge_zero_folio<br /> <br /> When I did memory failure tests recently, below panic occurs:<br /> <br /> kernel BUG at include/linux/mm.h:1135!<br /> invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14<br /> RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0<br /> RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246<br /> RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0<br /> RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492<br /> R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00<br /> FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> do_shrink_slab+0x14f/0x6a0<br /> shrink_slab+0xca/0x8c0<br /> shrink_node+0x2d0/0x7d0<br /> balance_pgdat+0x33a/0x720<br /> kswapd+0x1f3/0x410<br /> kthread+0xd5/0x100<br /> ret_from_fork+0x2f/0x50<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Modules linked in: mce_inject hwpoison_inject<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0<br /> RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246<br /> RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0<br /> RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492<br /> R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000<br /> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00<br /> FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0<br /> <br /> The root cause is that HWPoison flag will be set for huge_zero_folio<br /> without increasing the folio refcnt. But then unpoison_memory() will<br /> decrease the folio refcnt unexpectedly as it appears like a successfully<br /> hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when<br /> releasing huge_zero_folio.<br /> <br /> Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. <br /> We&amp;#39;re not prepared to unpoison huge_zero_folio yet.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.41 (including) 5.15.162 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17.9 (including) 5.18 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18.1 (including) 6.1.95 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.35 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.9.6 (excluding)
cpe:2.3:o:linux:linux_kernel:5.18:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.18:rc7:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools