CVE-2024-49873

{"id": "CVE-2024-49873", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-10-21T18:15:08.763", "references": [{"url": "https://git.kernel.org/stable/c/570dd14bfecf281fa467c80f8ec92b26370ee36a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c225c4f6056b46a8a5bf2ed35abf17a2d6887691", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/filemap: fix filemap_get_folios_contig THP panic\n\nPatch series \"memfd-pin huge page fixes\".\n\nFix multiple bugs that occur when using memfd_pin_folios with hugetlb\npages and THP. The hugetlb bugs only bite when the page is not yet\nfaulted in when memfd_pin_folios is called. The THP bug bites when the\nstarting offset passed to memfd_pin_folios is not huge page aligned. See\nthe commit messages for details.\n\n\nThis patch (of 5):\n\nmemfd_pin_folios on memory backed by THP panics if the requested start\noffset is not huge page aligned:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000036\nRIP: 0010:filemap_get_folios_contig+0xdf/0x290\nRSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202\nRAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002\n\nThe fault occurs here, because xas_load returns a folio with value 2:\n\n filemap_get_folios_contig()\n for (folio = xas_load(&xas); folio && xas.xa_index <= end;\n folio = xas_next(&xas)) {\n ...\n if (!folio_try_get(folio)) <-- BOOM\n\n\"2\" is an xarray sibling entry. We get it because memfd_pin_folios does\nnot round the indices passed to filemap_get_folios_contig to huge page\nboundaries for THP, so we load from the middle of a huge page range see a\nsibling. (It does round for hugetlbfs, at the is_file_hugepages test).\n\nTo fix, if the folio is a sibling, then return the next index as the\nstarting point for the next call to filemap_get_folios_contig."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/filemap: correcci\u00f3n de la serie de parches de p\u00e1nico de THP filemap_get_folios_contig \"memfd-pin huge page fixes\". Corrige varios errores que ocurren al usar memfd_pin_folios con p\u00e1ginas hugetlb y THP. Los errores de hugetlb solo afectan cuando la p\u00e1gina a\u00fan no tiene errores cuando se llama a memfd_pin_folios. El error de THP afecta cuando el desplazamiento inicial pasado a memfd_pin_folios no est\u00e1 alineado con la p\u00e1gina enorme. Consulte los mensajes de confirmaci\u00f3n para obtener m\u00e1s detalles. Este parche (de 5): memfd_pin_folios en la memoria respaldada por THP entra en p\u00e1nico si el desplazamiento de inicio solicitado no est\u00e1 alineado con una p\u00e1gina enorme: ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: 0000000000000036 RIP: 0010:filemap_get_folios_contig+0xdf/0x290 RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202 RAX: 000000000000002 RBX: 0000000000000002 RCX: 0000000000000002 El error ocurre aqu\u00ed porque xas_load devuelve un folio con el valor 2: filemap_get_folios_contig() para (folio = xas_load(&amp;xas); folio &amp;&amp; xas.xa_index &lt;= end; folio = xas_next(&amp;xas)) { ... if (!folio_try_get(folio)) &lt;-- BOOM \"2\" es una entrada hermana de xarray. Lo obtenemos porque memfd_pin_folios no redondea los \u00edndices pasados a filemap_get_folios_contig a los l\u00edmites de p\u00e1ginas enormes para THP, por lo que cargamos desde el medio de un rango de p\u00e1ginas enormes para ver un hermano. (S\u00ed redondea para hugetlbfs, en la prueba is_file_hugepages). Para solucionarlo, si el folio es un hermano, entonces devuelva el siguiente \u00edndice como punto de inicio para la siguiente llamada a filemap_get_folios_contig."}], "lastModified": "2024-10-24T20:22:42.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}