cve/published/2024/CVE-2024-50199.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50199: mm/swapfile: skip HugeTLB pages for unuse_vma

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/swapfile: skip HugeTLB pages for unuse_vma

 I got a bad pud error and lost a 1GB HugeTLB when calling swapoff.  The
 problem can be reproduced by the following steps:

  1. Allocate an anonymous 1GB HugeTLB and some other anonymous memory.
  2. Swapout the above anonymous memory.
  3. run swapoff and we will get a bad pud error in kernel message:

   mm/pgtable-generic.c:42: bad pud 00000000743d215d(84000001400000e7)

 We can tell that pud_clear_bad is called by pud_none_or_clear_bad in
 unuse_pud_range() by ftrace.  And therefore the HugeTLB pages will never
 be freed because we lost it from page table.  We can skip HugeTLB pages
 for unuse_vma to fix it.

 The Linux kernel CVE team has assigned CVE-2024-50199 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 5.4.285 with commit ba7f982cdb37ff5a7739dec85d7325ea66fc1496
 	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 5.10.228 with commit 417d5838ca73c6331ae2fe692fab6c25c00d9a0b
 	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 5.15.169 with commit e41710f5a61aca9d6baaa8f53908a927dd9e7aa7
 	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.1.114 with commit 6ec0fe3756f941f42f8c57156b8bdf2877b2ebaf
 	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.6.58 with commit bed2b9037806c62166a0ef9a559a1e7e3e1275b8
 	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.11.5 with commit eb66a833cdd2f7302ee05d05e0fa12a2ca32eb87
 	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.12 with commit 7528c4fb1237512ee18049f852f014eba80bbe8d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50199
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/swapfile.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ba7f982cdb37ff5a7739dec85d7325ea66fc1496
 	https://git.kernel.org/stable/c/417d5838ca73c6331ae2fe692fab6c25c00d9a0b
 	https://git.kernel.org/stable/c/e41710f5a61aca9d6baaa8f53908a927dd9e7aa7
 	https://git.kernel.org/stable/c/6ec0fe3756f941f42f8c57156b8bdf2877b2ebaf
 	https://git.kernel.org/stable/c/bed2b9037806c62166a0ef9a559a1e7e3e1275b8
 	https://git.kernel.org/stable/c/eb66a833cdd2f7302ee05d05e0fa12a2ca32eb87
 	https://git.kernel.org/stable/c/7528c4fb1237512ee18049f852f014eba80bbe8d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50199: mm/swapfile: skip HugeTLB pages for unuse_vma

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/swapfile: skip HugeTLB pages for unuse_vma

	I got a bad pud error and lost a 1GB HugeTLB when calling swapoff. The
	problem can be reproduced by the following steps:

	1. Allocate an anonymous 1GB HugeTLB and some other anonymous memory.
	2. Swapout the above anonymous memory.
	3. run swapoff and we will get a bad pud error in kernel message:

	mm/pgtable-generic.c:42: bad pud 00000000743d215d(84000001400000e7)

	We can tell that pud_clear_bad is called by pud_none_or_clear_bad in
	unuse_pud_range() by ftrace. And therefore the HugeTLB pages will never
	be freed because we lost it from page table. We can skip HugeTLB pages
	for unuse_vma to fix it.

	The Linux kernel CVE team has assigned CVE-2024-50199 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 5.4.285 with commit ba7f982cdb37ff5a7739dec85d7325ea66fc1496
	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 5.10.228 with commit 417d5838ca73c6331ae2fe692fab6c25c00d9a0b
	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 5.15.169 with commit e41710f5a61aca9d6baaa8f53908a927dd9e7aa7
	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.1.114 with commit 6ec0fe3756f941f42f8c57156b8bdf2877b2ebaf
	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.6.58 with commit bed2b9037806c62166a0ef9a559a1e7e3e1275b8
	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.11.5 with commit eb66a833cdd2f7302ee05d05e0fa12a2ca32eb87
	Issue introduced in 2.6.36 with commit 0fe6e20b9c4c53b3e97096ee73a0857f60aad43f and fixed in 6.12 with commit 7528c4fb1237512ee18049f852f014eba80bbe8d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50199
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/swapfile.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ba7f982cdb37ff5a7739dec85d7325ea66fc1496
	https://git.kernel.org/stable/c/417d5838ca73c6331ae2fe692fab6c25c00d9a0b
	https://git.kernel.org/stable/c/e41710f5a61aca9d6baaa8f53908a927dd9e7aa7
	https://git.kernel.org/stable/c/6ec0fe3756f941f42f8c57156b8bdf2877b2ebaf
	https://git.kernel.org/stable/c/bed2b9037806c62166a0ef9a559a1e7e3e1275b8
	https://git.kernel.org/stable/c/eb66a833cdd2f7302ee05d05e0fa12a2ca32eb87
	https://git.kernel.org/stable/c/7528c4fb1237512ee18049f852f014eba80bbe8d