| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: use pages instead of pointer for kernel direct IO\n\nWhen trying to insert a 10MB kernel module kept in a virtio-fs with cache\ndisabled, the following warning was reported:\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ......\n Modules linked in:\n CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:__alloc_pages+0x2bf/0x380\n ......\n Call Trace:\n <TASK>\n ? __warn+0x8e/0x150\n ? __alloc_pages+0x2bf/0x380\n __kmalloc_large_node+0x86/0x160\n __kmalloc+0x33c/0x480\n virtio_fs_enqueue_req+0x240/0x6d0\n virtio_fs_wake_pending_and_unlock+0x7f/0x190\n queue_request_and_unlock+0x55/0x60\n fuse_simple_request+0x152/0x2b0\n fuse_direct_io+0x5d2/0x8c0\n fuse_file_read_iter+0x121/0x160\n __kernel_read+0x151/0x2d0\n kernel_read+0x45/0x50\n kernel_read_file+0x1a9/0x2a0\n init_module_from_file+0x6a/0xe0\n idempotent_init_module+0x175/0x230\n __x64_sys_finit_module+0x5d/0xb0\n x64_sys_call+0x1c3/0x9e0\n do_syscall_64+0x3d/0xc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ......\n </TASK>\n ---[ end trace 0000000000000000 ]---\n\nThe warning is triggered as follows:\n\n1) syscall finit_module() handles the module insertion and it invokes\nkernel_read_file() to read the content of the module first.\n\n2) kernel_read_file() allocates a 10MB buffer by using vmalloc() and\npasses it to kernel_read(). kernel_read() constructs a kvec iter by\nusing iov_iter_kvec() and passes it to fuse_file_read_iter().\n\n3) virtio-fs disables the cache, so fuse_file_read_iter() invokes\nfuse_direct_io(). As for now, the maximal read size for kvec iter is\nonly limited by fc->max_read. For virtio-fs, max_read is UINT_MAX, so\nfuse_direct_io() doesn't split the 10MB buffer. It saves the address and\nthe size of the 10MB-sized buffer in out_args[0] of a fuse request and\npasses the fuse request to virtio_fs_wake_pending_and_unlock().\n\n4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() to\nqueue the request. Because virtiofs need DMA-able address, so\nvirtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer for\nall fuse args, copies these args into the bounce buffer and passed the\nphysical address of the bounce buffer to virtiofsd. The total length of\nthese fuse args for the passed fuse request is about 10MB, so\ncopy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter and\nit triggers the warning in __alloc_pages():\n\n\tif (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp))\n\t\treturn NULL;\n\n5) virtio_fs_enqueue_req() will retry the memory allocation in a\nkworker, but it won't help, because kmalloc() will always return NULL\ndue to the abnormal size and finit_module() will hang forever.\n\nA feasible solution is to limit the value of max_read for virtio-fs, so\nthe length passed to kmalloc() will be limited. However it will affect\nthe maximal read size for normal read. And for virtio-fs write initiated\nfrom kernel, it has the similar problem but now there is no way to limit\nfc->max_write in kernel.\n\nSo instead of limiting both the values of max_read and max_write in\nkernel, introducing use_pages_for_kvec_io in fuse_conn and setting it as\ntrue in virtiofs. When use_pages_for_kvec_io is enabled, fuse will use\npages instead of pointer to pass the KVEC_IO data.\n\nAfter switching to pages for KVEC_IO data, these pages will be used for\nDMA through virtio-fs. If these pages are backed by vmalloc(),\n{flush|invalidate}_kernel_vmap_range() are necessary to flush or\ninvalidate the cache before the DMA operation. So add two new fields in\nfuse_args_pages to record the base address of vmalloc area and the\ncondition indicating whether invalidation is needed. Perform the flush\nin fuse_get_user_pages() for write operations and the invalidation in\nfuse_release_user_pages() for read operations.\n\nIt may seem necessary to introduce another fie\n---truncated---" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/fuse/file.c", |
| "fs/fuse/fuse_i.h", |
| "fs/fuse/virtio_fs.c" |
| ], |
| "versions": [ |
| { |
| "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a", |
| "lessThan": "9a8fde56d4b6d51930936ed50f6370a9097328d1", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a", |
| "lessThan": "2bc07714dc955a91d2923a440ea02c3cb3376b10", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a", |
| "lessThan": "41748675c0bf252b3c5f600a95830f0936d366c1", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/fuse/file.c", |
| "fs/fuse/fuse_i.h", |
| "fs/fuse/virtio_fs.c" |
| ], |
| "versions": [ |
| { |
| "version": "5.4", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "5.4", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.11.11", |
| "lessThanOrEqual": "6.11.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.2", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.4", |
| "versionEndExcluding": "6.11.11" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.4", |
| "versionEndExcluding": "6.12.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.4", |
| "versionEndExcluding": "6.13" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/9a8fde56d4b6d51930936ed50f6370a9097328d1" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/2bc07714dc955a91d2923a440ea02c3cb3376b10" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/41748675c0bf252b3c5f600a95830f0936d366c1" |
| } |
| ], |
| "title": "virtiofs: use pages instead of pointer for kernel direct IO", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-53219", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
