CVE-2024-50220

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fork: do not invoke uffd on fork if error occurs<br /> <br /> Patch series "fork: do not expose incomplete mm on fork".<br /> <br /> During fork we may place the virtual memory address space into an<br /> inconsistent state before the fork operation is complete.<br /> <br /> In addition, we may encounter an error during the fork operation that<br /> indicates that the virtual memory address space is invalidated.<br /> <br /> As a result, we should not be exposing it in any way to external machinery<br /> that might interact with the mm or VMAs, machinery that is not designed to<br /> deal with incomplete state.<br /> <br /> We specifically update the fork logic to defer khugepaged and ksm to the<br /> end of the operation and only to be invoked if no error arose, and<br /> disallow uffd from observing fork events should an error have occurred.<br /> <br /> <br /> This patch (of 2):<br /> <br /> Currently on fork we expose the virtual address space of a process to<br /> userland unconditionally if uffd is registered in VMAs, regardless of<br /> whether an error arose in the fork.<br /> <br /> This is performed in dup_userfaultfd_complete() which is invoked<br /> unconditionally, and performs two duties - invoking registered handlers<br /> for the UFFD_EVENT_FORK event via dup_fctx(), and clearing down<br /> userfaultfd_fork_ctx objects established in dup_userfaultfd().<br /> <br /> This is problematic, because the virtual address space may not yet be<br /> correctly initialised if an error arose.<br /> <br /> The change in commit d24062914837 ("fork: use __mt_dup() to duplicate<br /> maple tree in dup_mmap()") makes this more pertinent as we may be in a<br /> state where entries in the maple tree are not yet consistent.<br /> <br /> We address this by, on fork error, ensuring that we roll back state that<br /> we would otherwise expect to clean up through the event being handled by<br /> userland and perform the memory freeing duty otherwise performed by<br /> dup_userfaultfd_complete().<br /> <br /> We do this by implementing a new function, dup_userfaultfd_fail(), which<br /> performs the same loop, only decrementing reference counts.<br /> <br /> Note that we perform mmgrab() on the parent and child mm&amp;#39;s, however<br /> userfaultfd_ctx_put() will mmdrop() this once the reference count drops to<br /> zero, so we will avoid memory leaks correctly here.