CVE-2024-26960

{"id": "CVE-2024-26960", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-01T06:15:12.323", "references": [{"url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: swap: corrige la ejecuci\u00f3n entre free_swap_and_cache() y swapoff() Anteriormente exist\u00eda una ventana te\u00f3rica donde swapoff() pod\u00eda ejecutar y desmantelar un swap_info_struct mientras se realizaba una llamada a free_swap_and_cache(). corriendo en otro hilo. Esto podr\u00eda causar, entre otras malas posibilidades, que swap_page_trans_huge_swapped() (llamado por free_swap_and_cache()) acceda a la memoria liberada para swap_map. Este es un problema te\u00f3rico y no he podido provocarlo a partir de un caso de prueba. Pero ha habido un acuerdo basado en la revisi\u00f3n del c\u00f3digo de que esto es posible (ver enlace a continuaci\u00f3n). Solucionarlo usando get_swap_device()/put_swap_device(), lo que detendr\u00e1 swapoff(). Hubo una verificaci\u00f3n adicional en _swap_info_get() para confirmar que la entrada de intercambio no era gratuita. Esto no est\u00e1 presente en get_swap_device() porque en general no tiene sentido debido a la ejecuci\u00f3n entre obtener la referencia y el intercambio. As\u00ed que agregu\u00e9 una verificaci\u00f3n equivalente directamente en free_swap_and_cache(). Detalles de c\u00f3mo provocar un posible problema (gracias a David Hildenbrand por derivar esto): --8&lt;----- __swap_entry_free() podr\u00eda ser el \u00faltimo usuario y dar como resultado \"count == SWAP_HAS_CACHE\". swapoff-&gt;try_to_unuse() se detendr\u00e1 tan pronto como si-&gt;inuse_pages==0. Entonces la pregunta es: \u00bfalguien podr\u00eda reclamar la publicaci\u00f3n y activar si-&gt;inuse_pages==0, antes de que completemos swap_page_trans_huge_swapped()? Imagine lo siguiente: folio de 2 MiB en el swapcache. S\u00f3lo 2 subp\u00e1ginas siguen siendo referencias mediante entradas de intercambio. El proceso 1 todav\u00eda hace referencia a la subp\u00e1gina 0 mediante la entrada de intercambio. El proceso 2 todav\u00eda hace referencia a la subp\u00e1gina 1 mediante la entrada de intercambio. El proceso 1 se cierra. Llama a free_swap_and_cache(). -&gt; count == SWAP_HAS_CACHE [luego, adelantado en el hipervisor, etc.] El proceso 2 se cierra. Llama a free_swap_and_cache(). -&gt; count == SWAP_HAS_CACHE El proceso 2 contin\u00faa, pasa swap_page_trans_huge_swapped() y llama a __try_to_reclaim_swap(). __try_to_reclaim_swap()-&gt;folio_free_swap()-&gt;delete_from_swap_cache()-&gt; put_swap_folio()-&gt;free_swap_slot()-&gt;swapcache_free_entries()-&gt; swap_entry_free()-&gt;swap_range_free()-&gt; ... WRITE_ONCE(si-&gt;inuse_pages, si-&gt;inuse_pages - nr_entries); \u00bfQu\u00e9 impide que el intercambio tenga \u00e9xito despu\u00e9s de que el proceso 2 recuper\u00f3 el cach\u00e9 de intercambio pero antes de que el proceso 1 terminara su llamada a swap_page_trans_huge_swapped()? --8&lt;-----"}], "lastModified": "2024-07-03T01:50:08.270", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}