cve/published/2024/CVE-2024-53111.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix address wraparound in move_page_tables()\n\nOn 32-bit platforms, it is possible for the expression `len + old_addr <\nold_end` to be false-positive if `len + old_addr` wraps around. \n`old_addr` is the cursor in the old range up to which page table entries\nhave been moved; so if the operation succeeded, `old_addr` is the *end* of\nthe old region, and adding `len` to it can wrap.\n\nThe overflow causes mremap() to mistakenly believe that PTEs have been\ncopied; the consequence is that mremap() bails out, but doesn't move the\nPTEs back before the new VMA is unmapped, causing anonymous pages in the\nregion to be lost.  So basically if userspace tries to mremap() a\nprivate-anon region and hits this bug, mremap() will return an error and\nthe private-anon region's contents appear to have been zeroed.\n\nThe idea of this check is that `old_end - len` is the original start\naddress, and writing the check that way also makes it easier to read; so\nfix the check by rearranging the comparison accordingly.\n\n(An alternate fix would be to refactor this function by introducing an\n\"orig_old_start\" variable or such.)\n\n\nTested in a VM with a 32-bit X86 kernel; without the patch:\n\n```\nuser@horn:~/big_mremap$ cat test.c\n#define _GNU_SOURCE\n#include <stdlib.h>\n#include <stdio.h>\n#include <err.h>\n#include <sys/mman.h>\n\n#define ADDR1 ((void*)0x60000000)\n#define ADDR2 ((void*)0x10000000)\n#define SIZE          0x50000000uL\n\nint main(void) {\n  unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE,\n      MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n  if (p1 == MAP_FAILED)\n    err(1, \"mmap 1\");\n  unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE,\n      MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n  if (p2 == MAP_FAILED)\n    err(1, \"mmap 2\");\n  *p1 = 0x41;\n  printf(\"first char is 0x%02hhx\\n\", *p1);\n  unsigned char *p3 = mremap(p1, SIZE, SIZE,\n      MREMAP_MAYMOVE|MREMAP_FIXED, p2);\n  if (p3 == MAP_FAILED) {\n    printf(\"mremap() failed; first char is 0x%02hhx\\n\", *p1);\n  } else {\n    printf(\"mremap() succeeded; first char is 0x%02hhx\\n\", *p3);\n  }\n}\nuser@horn:~/big_mremap$ gcc -static -o test test.c\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() failed; first char is 0x00\n```\n\nWith the patch:\n\n```\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() succeeded; first char is 0x41\n```"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "mm/mremap.c"
                ],
                "versions": [
                   {
                      "version": "af8ca1c149069176e6322a77b532e3ffd99ccffe",
                      "lessThan": "909543dc279a91122fb08e4653a72b82f0ad28f4",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "af8ca1c149069176e6322a77b532e3ffd99ccffe",
                      "lessThan": "a4a282daf1a190f03790bf163458ea3c8d28d217",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "mm/mremap.c"
                ],
                "versions": [
                   {
                      "version": "6.7",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "6.7",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.11.10",
                      "lessThanOrEqual": "6.11.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.12",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "6.7",
                            "versionEndExcluding": "6.11.10"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "6.7",
                            "versionEndExcluding": "6.12"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/909543dc279a91122fb08e4653a72b82f0ad28f4"
             },
             {
                "url": "https://git.kernel.org/stable/c/a4a282daf1a190f03790bf163458ea3c8d28d217"
             }
          ],
          "title": "mm/mremap: fix address wraparound in move_page_tables()",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2024-53111",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix address wraparound in move_page_tables()\n\nOn 32-bit platforms, it is possible for the expression `len + old_addr <\nold_end` to be false-positive if `len + old_addr` wraps around. \n`old_addr` is the cursor in the old range up to which page table entries\nhave been moved; so if the operation succeeded, `old_addr` is the end of\nthe old region, and adding `len` to it can wrap.\n\nThe overflow causes mremap() to mistakenly believe that PTEs have been\ncopied; the consequence is that mremap() bails out, but doesn't move the\nPTEs back before the new VMA is unmapped, causing anonymous pages in the\nregion to be lost. So basically if userspace tries to mremap() a\nprivate-anon region and hits this bug, mremap() will return an error and\nthe private-anon region's contents appear to have been zeroed.\n\nThe idea of this check is that `old_end - len` is the original start\naddress, and writing the check that way also makes it easier to read; so\nfix the check by rearranging the comparison accordingly.\n\n(An alternate fix would be to refactor this function by introducing an\n\"orig_old_start\" variable or such.)\n\n\nTested in a VM with a 32-bit X86 kernel; without the patch:\n\n```\nuser@horn:~/big_mremap$ cat test.c\n#define _GNU_SOURCE\n#include <stdlib.h>\n#include <stdio.h>\n#include <err.h>\n#include <sys/mman.h>\n\n#define ADDR1 ((void)0x60000000)\n#define ADDR2 ((void)0x10000000)\n#define SIZE 0x50000000uL\n\nint main(void) {\n unsigned char p1 = mmap(ADDR1, SIZE, PROT_READ\|PROT_WRITE,\n MAP_ANONYMOUS\|MAP_PRIVATE\|MAP_FIXED_NOREPLACE, -1, 0);\n if (p1 == MAP_FAILED)\n err(1, \"mmap 1\");\n unsigned char p2 = mmap(ADDR2, SIZE, PROT_NONE,\n MAP_ANONYMOUS\|MAP_PRIVATE\|MAP_FIXED_NOREPLACE, -1, 0);\n if (p2 == MAP_FAILED)\n err(1, \"mmap 2\");\n p1 = 0x41;\n printf(\"first char is 0x%02hhx\\n\", p1);\n unsigned char p3 = mremap(p1, SIZE, SIZE,\n MREMAP_MAYMOVE\|MREMAP_FIXED, p2);\n if (p3 == MAP_FAILED) {\n printf(\"mremap() failed; first char is 0x%02hhx\\n\", p1);\n } else {\n printf(\"mremap() succeeded; first char is 0x%02hhx\\n\", *p3);\n }\n}\nuser@horn:~/big_mremap$ gcc -static -o test test.c\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() failed; first char is 0x00\n```\n\nWith the patch:\n\n```\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() succeeded; first char is 0x41\n```"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"mm/mremap.c"
	],
	"versions": [
	{
	"version": "af8ca1c149069176e6322a77b532e3ffd99ccffe",
	"lessThan": "909543dc279a91122fb08e4653a72b82f0ad28f4",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "af8ca1c149069176e6322a77b532e3ffd99ccffe",
	"lessThan": "a4a282daf1a190f03790bf163458ea3c8d28d217",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"mm/mremap.c"
	],
	"versions": [
	{
	"version": "6.7",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "6.7",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.11.10",
	"lessThanOrEqual": "6.11.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.12",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "6.7",
	"versionEndExcluding": "6.11.10"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "6.7",
	"versionEndExcluding": "6.12"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/909543dc279a91122fb08e4653a72b82f0ad28f4"
	},
	{
	"url": "https://git.kernel.org/stable/c/a4a282daf1a190f03790bf163458ea3c8d28d217"
	}
	],
	"title": "mm/mremap: fix address wraparound in move_page_tables()",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2024-53111",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}