fkie_cve-2024-56673
Vulnerability from fkie_nvd
Published
2024-12-27 15:15
Modified
2025-01-06 15:08
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Do not call pmd dtor on vmemmap page table teardown The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page tables are populated using pmd (page middle directory) hugetables. However, the pmd allocation is not using the generic mechanism used by the VMA code (e.g. pmd_alloc()), or the RISC-V specific create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table code allocates a page, and calls vmemmap_set_pmd(). This results in that the pmd ctor is *not* called, nor would it make sense to do so. Now, when tearing down a vmemmap page table pmd, the cleanup code would unconditionally, and incorrectly call the pmd dtor, which results in a crash (best case). This issue was found when running the HMM selftests: | tools/testing/selftests/mm# ./test_hmm.sh smoke | ... # when unloading the test_hmm.ko module | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b | flags: 0x1000000000000000(node=0|zone=1) | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte) | ------------[ cut here ]------------ | kernel BUG at include/linux/mm.h:3080! | Kernel BUG [#1] | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2 | Tainted: [W]=WARN | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024 | epc : remove_pgd_mapping+0xbec/0x1070 | ra : remove_pgd_mapping+0xbec/0x1070 | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940 | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04 | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50 | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008 | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000 | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8 | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000 | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000 | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0 | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00 | t5 : ff60000080244000 t6 : ff20000000a73708 | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003 | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070 | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e | [<ffffffff8032e698>] section_deactivate+0x220/0x452 | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58 | [<ffffffff802f8700>] __remove_pages+0x7e/0xba | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm] | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm] | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6 | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266 | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2 | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597 | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: Fatal exception in interrupt Add a check to avoid calling the pmd dtor, if the calling context is vmemmap_free().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/21f1b85c8912262adf51707e63614a114425eb10Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/344945806f2f7af68be98bac02836c867f223aa9Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel 6.13
linux linux_kernel 6.13


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "97C759FD-3999-4EA7-B961-1CADF641F560",
                     versionEndExcluding: "6.12.6",
                     versionStartIncluding: "6.11",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*",
                     matchCriteriaId: "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*",
                     matchCriteriaId: "5A073481-106D-4B15-B4C7-FB0213B8E1D4",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Do not call pmd dtor on vmemmap page table teardown\n\nThe vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page\ntables are populated using pmd (page middle directory) hugetables.\nHowever, the pmd allocation is not using the generic mechanism used by\nthe VMA code (e.g. pmd_alloc()), or the RISC-V specific\ncreate_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table\ncode allocates a page, and calls vmemmap_set_pmd(). This results in\nthat the pmd ctor is *not* called, nor would it make sense to do so.\n\nNow, when tearing down a vmemmap page table pmd, the cleanup code\nwould unconditionally, and incorrectly call the pmd dtor, which\nresults in a crash (best case).\n\nThis issue was found when running the HMM selftests:\n\n  | tools/testing/selftests/mm# ./test_hmm.sh smoke\n  | ... # when unloading the test_hmm.ko module\n  | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b\n  | flags: 0x1000000000000000(node=0|zone=1)\n  | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000\n  | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n  | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)\n  | ------------[ cut here ]------------\n  | kernel BUG at include/linux/mm.h:3080!\n  | Kernel BUG [#1]\n  | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod\n  | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G        W          6.12.0-00982-gf2a4f1682d07 #2\n  | Tainted: [W]=WARN\n  | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024\n  | epc : remove_pgd_mapping+0xbec/0x1070\n  |  ra : remove_pgd_mapping+0xbec/0x1070\n  | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940\n  |  gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04\n  |  t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50\n  |  s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008\n  |  a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000\n  |  a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8\n  |  s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000\n  |  s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000\n  |  s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0\n  |  s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00\n  |  t5 : ff60000080244000 t6 : ff20000000a73708\n  | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003\n  | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070\n  | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e\n  | [<ffffffff8032e698>] section_deactivate+0x220/0x452\n  | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58\n  | [<ffffffff802f8700>] __remove_pages+0x7e/0xba\n  | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe\n  | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]\n  | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]\n  | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6\n  | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266\n  | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2\n  | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597\n  | ---[ end trace 0000000000000000 ]---\n  | Kernel panic - not syncing: Fatal exception in interrupt\n\nAdd a check to avoid calling the pmd dtor, if the calling context is\nvmemmap_free().",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: mm: No llamar a pmd dtor en el desmontaje de la tabla de páginas vmemmap Las tablas de páginas vmemmap, que se utilizan para RV64 con SPARSEMEM_VMEMMAP, se rellenan utilizando enormes tablas pmd (directorio intermedio de páginas). Sin embargo, la asignación de pmd no utiliza el mecanismo genérico utilizado por el código VMA (por ejemplo, pmd_alloc()), o el create_pgd_mapping()/alloc_pmd_late() específico de RISC-V. En su lugar, el código de la tabla de páginas vmemmap asigna una página y llama a vmemmap_set_pmd(). Esto da como resultado que el pmd ctor *no* se llame, ni tendría sentido hacerlo. Ahora, al desmantelar un pmd de la tabla de páginas vmemmap, el código de desinfección llamaría incondicional e incorrectamente al pmd dtor, lo que da como resultado un bloqueo (en el mejor de los casos). Este problema se encontró al ejecutar las autopruebas de HMM: | herramientas/pruebas/autopruebas/mm# ./test_hmm.sh smoke | ... # al descargar el módulo test_hmm.ko | página: refcount:1 mapcount:0 mapping:0000000000000000 índice:0x0 pfn:0x10915b | banderas: 0x1000000000000000(nodo=0|zona=1) | crudo: 1000000000000000 0000000000000000 dead0000000000122 0000000000000000 | raw: 0000000000000000 000000000000000 00000001ffffffff 0000000000000000 | página volcada porque: VM_BUG_ON_PAGE(ptdesc-&gt;pmd_huge_pte) | ------------[ cortar aquí ]------------ | ¡ERROR del kernel en include/linux/mm.h:3080! | ERROR del kernel [#1] | Módulos vinculados en: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod | CPU: 1 UID: 0 PID: 514 Comm: modprobe Contaminado: GW 6.12.0-00982-gf2a4f1682d07 #2 | Contaminado: [W]=WARN | Nombre del hardware: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024 | epc : remove_pgd_mapping+0xbec/0x1070 | ra : remove_pgd_mapping+0xbec/0x1070 | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940 | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04 | t1: 0720072007200720 t2: 706d756420656761 s0: ff20000000a73a50 | s1: ff6000008915cff8 a0: 0000000000000039 a1: 00000000000000008 | a2: ff600003fff0de20 a3: 0000000000000000 a4: 0000000000000000 | a5: 0000000000000000 a6: c0000000fffffff a7: ffffffff824469b8 | s2: ff1c0000022456c0 s3: ff1ffffffdbfffff s4: ff6000008915c000 | s5: ff6000008915c000 s6: ff6000008915c000 s7: ff1ffffffdc00000 | s8: 0000000000000001 s9: ff1ffffffdc00000 s10: ffffffff819a31f0 | s11: ffffffffffffffff t3: ffffffff8000c950 t4: ff60000080244f00 | t5 : ff60000080244000 t6 : ff20000000a73708 | estado: 0000000200000120 dirección incorrecta: ffffffff80010a68 causa: 0000000000000003 | [] eliminar_map_pgd+0xbec/0x1070 | [] vmemmap_free+0x14/0x1e | [] desactivar_sección+0x220/0x452 | [] eliminar_sección_sparse+0x4a/0x58 | [] __eliminar_páginas+0x7e/0xba | [] memunmap_páginas+0x2bc/0x3fe | [] dmirror_dispositivo_eliminar_fragmentos+0x2ea/0x518 [prueba_hmm] | [] hmm_dmirror_exit+0x3e/0x1018 [prueba_hmm] | [] __riscv_sys_eliminar_módulo+0x15a/0x2a6 | [] do_trap_ecall_u+0x1f2/0x266 | [] _new_vmalloc_restore_context_a0+0xc6/0xd2 | Código: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597 | ---[ fin del seguimiento 000000000000000 ]--- | Pánico del kernel - no sincroniza: Excepción fatal en la interrupción Agregue una verificación para evitar llamar al dtor pmd, si el contexto de llamada es vmemmap_free().",
      },
   ],
   id: "CVE-2024-56673",
   lastModified: "2025-01-06T15:08:36.363",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 5.5,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-12-27T15:15:27.210",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/21f1b85c8912262adf51707e63614a114425eb10",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/344945806f2f7af68be98bac02836c867f223aa9",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.