Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-45024

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
11/09/2024
Last modified:
13/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix hugetlb vs. core-mm PT locking<br /> <br /> We recently made GUP&amp;#39;s common page table walking code to also walk hugetlb<br /> VMAs without most hugetlb special-casing, preparing for the future of<br /> having less hugetlb-specific page table walking code in the codebase. <br /> Turns out that we missed one page table locking detail: page table locking<br /> for hugetlb folios that are not mapped using a single PMD/PUD.<br /> <br /> Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB<br /> hugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the<br /> page tables, will perform a pte_offset_map_lock() to grab the PTE table<br /> lock.<br /> <br /> However, hugetlb that concurrently modifies these page tables would<br /> actually grab the mm-&gt;page_table_lock: with USE_SPLIT_PTE_PTLOCKS, the<br /> locks would differ. Something similar can happen right now with hugetlb<br /> folios that span multiple PMDs when USE_SPLIT_PMD_PTLOCKS.<br /> <br /> This issue can be reproduced [1], for example triggering:<br /> <br /> [ 3105.936100] ------------[ cut here ]------------<br /> [ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 try_grab_folio+0x11c/0x188<br /> [ 3105.944634] Modules linked in: [...]<br /> [ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1<br /> [ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024<br /> [ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 3105.991108] pc : try_grab_folio+0x11c/0x188<br /> [ 3105.994013] lr : follow_page_pte+0xd8/0x430<br /> [ 3105.996986] sp : ffff80008eafb8f0<br /> [ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43<br /> [ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48<br /> [ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978<br /> [ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001<br /> [ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000<br /> [ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000<br /> [ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0<br /> [ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080<br /> [ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000<br /> [ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000<br /> [ 3106.047957] Call trace:<br /> [ 3106.049522] try_grab_folio+0x11c/0x188<br /> [ 3106.051996] follow_pmd_mask.constprop.0.isra.0+0x150/0x2e0<br /> [ 3106.055527] follow_page_mask+0x1a0/0x2b8<br /> [ 3106.058118] __get_user_pages+0xf0/0x348<br /> [ 3106.060647] faultin_page_range+0xb0/0x360<br /> [ 3106.063651] do_madvise+0x340/0x598<br /> <br /> Let&amp;#39;s make huge_pte_lockptr() effectively use the same PT locks as any<br /> core-mm page table walker would. Add ptep_lockptr() to obtain the PTE<br /> page table lock using a pte pointer -- unfortunately we cannot convert<br /> pte_lockptr() because virt_to_page() doesn&amp;#39;t work with kmap&amp;#39;ed page tables<br /> we can have with CONFIG_HIGHPTE.<br /> <br /> Handle CONFIG_PGTABLE_LEVELS correctly by checking in reverse order, such<br /> that when e.g., CONFIG_PGTABLE_LEVELS==2 with<br /> PGDIR_SIZE==P4D_SIZE==PUD_SIZE==PMD_SIZE will work as expected. Document<br /> why that works.<br /> <br /> There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb<br /> folio being mapped using two PTE page tables. While hugetlb wants to take<br /> the PMD table lock, core-mm would grab the PTE table lock of one of both<br /> PTE page tables. In such corner cases, we have to make sure that both<br /> locks match, which is (fortunately!) currently guaranteed for 8xx as it<br /> does not support SMP and consequently doesn&amp;#39;t use split PT locks.<br /> <br /> [1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.10 (including) 6.10.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools