fkie_cve-2024-56628
Vulnerability from fkie_nvd
Published
2024-12-27 15:15
Modified
2024-12-27 15:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Add architecture specific huge_pte_clear() When executing mm selftests run_vmtests.sh, there is such an error: BUG: Bad page state in process uffd-unit-tests pfn:00000 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff) raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set Modules linked in: snd_seq_dummy snd_seq snd_seq_device rfkill vfat fat virtio_balloon efi_pstore virtio_net pstore net_failover failover fuse nfnetlink virtio_scsi virtio_gpu virtio_dma_buf dm_multipath efivarfs CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests Not tainted 6.12.0 #184 Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 Stack : 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000 900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8 900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 0000000000000001 0000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000 0000000000000022 0000000fffffffff fffffffffe000000 ffff800000000000 000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940 0000000000000000 0000000000000000 90000000025aa5e0 9000000002905000 0000000000000000 90000000028f8940 ffff800000000000 0000000000000000 0000000000000000 0000000000000000 9000000000223a94 000000012001839c 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d ... Call Trace: [<9000000000223a94>] show_stack+0x5c/0x180 [<9000000001c3fd64>] dump_stack_lvl+0x6c/0xa0 [<900000000056aa08>] bad_page+0x1a0/0x1f0 [<9000000000574978>] free_unref_folios+0xbf0/0xd20 [<90000000004e65cc>] folios_put_refs+0x1a4/0x2b8 [<9000000000599a0c>] free_pages_and_swap_cache+0x164/0x260 [<9000000000547698>] tlb_batch_pages_flush+0xa8/0x1c0 [<9000000000547f30>] tlb_finish_mmu+0xa8/0x218 [<9000000000543cb8>] exit_mmap+0x1a0/0x360 [<9000000000247658>] __mmput+0x78/0x200 [<900000000025583c>] do_exit+0x43c/0xde8 [<9000000000256490>] do_group_exit+0x68/0x110 [<9000000000256554>] sys_exit_group+0x1c/0x20 [<9000000001c413b4>] do_syscall+0x94/0x130 [<90000000002216d8>] handle_syscall+0xb8/0x158 Disabling lock debugging due to kernel taint BUG: non-zero pgtables_bytes on freeing mm: -16384 On LoongArch system, invalid huge pte entry should be invalid_pte_table or a single _PAGE_HUGE bit rather than a zero value. And it should be the same with invalid pmd entry, since pmd_none() is called by function free_pgd_range() and pmd_none() return 0 by huge_pte_clear(). So single _PAGE_HUGE bit is also treated as a valid pte table and free_pte_range() will be called in free_pmd_range(). free_pmd_range() pmd = pmd_offset(pud, addr); do { next = pmd_addr_end(addr, end); if (pmd_none_or_clear_bad(pmd)) continue; free_pte_range(tlb, pmd, addr); } while (pmd++, addr = next, addr != end); Here invalid_pte_table is used for both invalid huge pte entry and pmd entry.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7cd1f5f77925ae905a57296932f0f9ef0dc364f8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7dfbf011a57b9e1a40f5ce8080a53c497e105c6c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9b602190cf2d8ac957be0011e418ed6c3b49b9a3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dba3c45e333a3a2a01395b5f5e5f88f8baba74e4
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Add architecture specific huge_pte_clear()\n\nWhen executing mm selftests run_vmtests.sh, there is such an error:\n\n BUG: Bad page state in process uffd-unit-tests  pfn:00000\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0\n flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff)\n raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n Modules linked in: snd_seq_dummy snd_seq snd_seq_device rfkill vfat fat\n    virtio_balloon efi_pstore virtio_net pstore net_failover failover fuse\n    nfnetlink virtio_scsi virtio_gpu virtio_dma_buf dm_multipath efivarfs\n CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests Not tainted 6.12.0 #184\n Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n Stack : 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000\n         900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8\n         900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 0000000000000001\n         0000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000\n         0000000000000022 0000000fffffffff fffffffffe000000 ffff800000000000\n         000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940\n         0000000000000000 0000000000000000 90000000025aa5e0 9000000002905000\n         0000000000000000 90000000028f8940 ffff800000000000 0000000000000000\n         0000000000000000 0000000000000000 9000000000223a94 000000012001839c\n         00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d\n         ...\n Call Trace:\n [\u003c9000000000223a94\u003e] show_stack+0x5c/0x180\n [\u003c9000000001c3fd64\u003e] dump_stack_lvl+0x6c/0xa0\n [\u003c900000000056aa08\u003e] bad_page+0x1a0/0x1f0\n [\u003c9000000000574978\u003e] free_unref_folios+0xbf0/0xd20\n [\u003c90000000004e65cc\u003e] folios_put_refs+0x1a4/0x2b8\n [\u003c9000000000599a0c\u003e] free_pages_and_swap_cache+0x164/0x260\n [\u003c9000000000547698\u003e] tlb_batch_pages_flush+0xa8/0x1c0\n [\u003c9000000000547f30\u003e] tlb_finish_mmu+0xa8/0x218\n [\u003c9000000000543cb8\u003e] exit_mmap+0x1a0/0x360\n [\u003c9000000000247658\u003e] __mmput+0x78/0x200\n [\u003c900000000025583c\u003e] do_exit+0x43c/0xde8\n [\u003c9000000000256490\u003e] do_group_exit+0x68/0x110\n [\u003c9000000000256554\u003e] sys_exit_group+0x1c/0x20\n [\u003c9000000001c413b4\u003e] do_syscall+0x94/0x130\n [\u003c90000000002216d8\u003e] handle_syscall+0xb8/0x158\n Disabling lock debugging due to kernel taint\n BUG: non-zero pgtables_bytes on freeing mm: -16384\n\nOn LoongArch system, invalid huge pte entry should be invalid_pte_table\nor a single _PAGE_HUGE bit rather than a zero value. And it should be\nthe same with invalid pmd entry, since pmd_none() is called by function\nfree_pgd_range() and pmd_none() return 0 by huge_pte_clear(). So single\n_PAGE_HUGE bit is also treated as a valid pte table and free_pte_range()\nwill be called in free_pmd_range().\n\n  free_pmd_range()\n        pmd = pmd_offset(pud, addr);\n        do {\n                next = pmd_addr_end(addr, end);\n                if (pmd_none_or_clear_bad(pmd))\n                        continue;\n                free_pte_range(tlb, pmd, addr);\n        } while (pmd++, addr = next, addr != end);\n\nHere invalid_pte_table is used for both invalid huge pte entry and\npmd entry."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: LoongArch: Agregar huge_pte_clear() espec\u00edfico de la arquitectura. Al ejecutar las pruebas autom\u00e1ticas mm run_vmtests.sh, aparece el siguiente error: BUG: Bad page state in process uffd-unit-tests pfn:00000 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff) raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 p\u00e1gina volcada porque: PAGE_FLAGS_CHECK_AT_FREE indicador(es) establecido(s) M\u00f3dulos vinculados en: snd_seq_dummy snd_seq snd_seq_device rfkill vfat fat virtio_balloon efi_pstore virtio_net pstore net_failover failover fuse nfnetlink virtio_scsi virtio_gpu virtio_dma_buf dm_multipath efivarfs CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests No contaminado 6.12.0 #184 Nombre del hardware: QEMU M\u00e1quina virtual QEMU, BIOS desconocido 2/2/2022 Pila: 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000 900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8 900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 000000000000001 000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000 0000000000000022 0000000ffffffffff fffffffffe000000 ffff800000000000 000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940 0000000000000000 000000000000000 90000000025aa5e0 9000000002905000 0000000000000000 90000000028f8940 ffff800000000000 000000000000000 0000000000000000 0000000000000000 0000000000000000 9000000000223a94 000000012001839c 00000000000000b0 0000000000000004 000000000000000 0000000000071c1d ... Seguimiento de llamadas: [\u0026lt;9000000000223a94\u0026gt;] show_stack+0x5c/0x180 [\u0026lt;9000000001c3fd64\u0026gt;] dump_stack_lvl+0x6c/0xa0 [\u0026lt;900000000056aa08\u0026gt;] p\u00e1gina_incorrecta+0x1a0/0x1f0 [\u0026lt;9000000000574978\u0026gt;] folios_sin_referencia_gratis+0xbf0/0xd20 [\u0026lt;90000000004e65cc\u0026gt;] folios_colocar_referencias+0x1a4/0x2b8 [\u0026lt;9000000000599a0c\u0026gt;] p\u00e1ginas_y_cach\u00e9_de_intercambio_gratis+0x164/0x260 [\u0026lt;9000000000547698\u0026gt;] vaciado_de_p\u00e1ginas_por_lotes_tlb+0xa8/0x1c0 [\u0026lt;9000000000547f30\u0026gt;] tlb_finish_mmu+0xa8/0x218 [\u0026lt;9000000000543cb8\u0026gt;] salida_mmap+0x1a0/0x360 [\u0026lt;9000000000247658\u0026gt;] __mmput+0x78/0x200 [\u0026lt;900000000025583c\u0026gt;] hacer_salir+0x43c/0xde8 [\u0026lt;9000000000256490\u0026gt;] hacer_grupo_salir+0x68/0x110 [\u0026lt;9000000000256554\u0026gt;] grupo_salir_sistema+0x1c/0x20 [\u0026lt;9000000001c413b4\u0026gt;] hacer_llamada_sistema+0x94/0x130 [\u0026lt;90000000002216d8\u0026gt;] handle_syscall+0xb8/0x158 Deshabilitando la depuraci\u00f3n de bloqueo debido a una contaminaci\u00f3n del kernel ERROR: pgtables_bytes distintos de cero al liberar mm: -16384 En el sistema LoongArch, una entrada pte enorme no v\u00e1lida debe ser invalid_pte_table o un solo bit _PAGE_HUGE en lugar de un valor cero. Y deber\u00eda ser lo mismo con una entrada pmd no v\u00e1lida, ya que pmd_none() es llamada por la funci\u00f3n free_pgd_range() y pmd_none() devuelve 0 por huge_pte_clear(). Por lo tanto, un solo bit _PAGE_HUGE tambi\u00e9n se trata como una tabla pte v\u00e1lida y free_pte_range() se llamar\u00e1 en free_pmd_range(). free_pmd_range() pmd = pmd_offset(pud, addr); do { next = pmd_addr_end(addr, end); if (pmd_none_or_clear_bad(pmd)) continue; free_pte_range(tlb, pmd, addr); } while (pmd++, addr = next, addr != end); Aqu\u00ed invalid_pte_table se utiliza tanto para entradas pte enormes no v\u00e1lidas como para entradas pmd."
    }
  ],
  "id": "CVE-2024-56628",
  "lastModified": "2024-12-27T15:15:22.357",
  "metrics": {},
  "published": "2024-12-27T15:15:22.357",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7cd1f5f77925ae905a57296932f0f9ef0dc364f8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7dfbf011a57b9e1a40f5ce8080a53c497e105c6c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9b602190cf2d8ac957be0011e418ed6c3b49b9a3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dba3c45e333a3a2a01395b5f5e5f88f8baba74e4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.