| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-47674: mm: avoid leaving partial pfn mappings around in error case |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| mm: avoid leaving partial pfn mappings around in error case |
| |
| As Jann points out, PFN mappings are special, because unlike normal |
| memory mappings, there is no lifetime information associated with the |
| mapping - it is just a raw mapping of PFNs with no reference counting of |
| a 'struct page'. |
| |
| That's all very much intentional, but it does mean that it's easy to |
| mess up the cleanup in case of errors. Yes, a failed mmap() will always |
| eventually clean up any partial mappings, but without any explicit |
| lifetime in the page table mapping itself, it's very easy to do the |
| error handling in the wrong order. |
| |
| In particular, it's easy to mistakenly free the physical backing store |
| before the page tables are actually cleaned up and (temporarily) have |
| stale dangling PTE entries. |
| |
| To make this situation less error-prone, just make sure that any partial |
| pfn mapping is torn down early, before any other error handling. |
| |
| The Linux kernel CVE team has assigned CVE-2024-47674 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.4.286 with commit 3213fdcab961026203dd587a4533600c70b3336b |
| Fixed in 5.10.229 with commit 35770ca6180caa24a2b258c99a87bd437a1ee10f |
| Fixed in 5.15.168 with commit 5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959 |
| Fixed in 6.1.111 with commit 65d0db500d7c07f0f76fc24a4d837791c4862cd2 |
| Fixed in 6.6.52 with commit a95a24fcaee1b892e47d5e6dcc403f713874ee80 |
| Fixed in 6.10.11 with commit 954fd4c81f22c4b6ba65379a81fd252971bf4ef3 |
| Fixed in 6.11 with commit 79a61cc3fc0466ad2b7b89618a6157785f0293b3 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-47674 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| mm/memory.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/3213fdcab961026203dd587a4533600c70b3336b |
| https://git.kernel.org/stable/c/35770ca6180caa24a2b258c99a87bd437a1ee10f |
| https://git.kernel.org/stable/c/5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959 |
| https://git.kernel.org/stable/c/65d0db500d7c07f0f76fc24a4d837791c4862cd2 |
| https://git.kernel.org/stable/c/a95a24fcaee1b892e47d5e6dcc403f713874ee80 |
| https://git.kernel.org/stable/c/954fd4c81f22c4b6ba65379a81fd252971bf4ef3 |
| https://git.kernel.org/stable/c/79a61cc3fc0466ad2b7b89618a6157785f0293b3 |
| https://project-zero.issues.chromium.org/issues/366053091 |
