ghsa-58c3-gqj2-fvq8
Vulnerability from github
Published
2024-12-27 15:31
Modified
2025-01-06 15:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

riscv: mm: Do not call pmd dtor on vmemmap page table teardown

The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page tables are populated using pmd (page middle directory) hugetables. However, the pmd allocation is not using the generic mechanism used by the VMA code (e.g. pmd_alloc()), or the RISC-V specific create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table code allocates a page, and calls vmemmap_set_pmd(). This results in that the pmd ctor is not called, nor would it make sense to do so.

Now, when tearing down a vmemmap page table pmd, the cleanup code would unconditionally, and incorrectly call the pmd dtor, which results in a crash (best case).

This issue was found when running the HMM selftests:

| tools/testing/selftests/mm# ./test_hmm.sh smoke | ... # when unloading the test_hmm.ko module | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b | flags: 0x1000000000000000(node=0|zone=1) | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte) | ------------[ cut here ]------------ | kernel BUG at include/linux/mm.h:3080! | Kernel BUG [#1] | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2 | Tainted: [W]=WARN | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024 | epc : remove_pgd_mapping+0xbec/0x1070 | ra : remove_pgd_mapping+0xbec/0x1070 | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940 | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04 | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50 | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008 | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000 | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8 | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000 | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000 | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0 | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00 | t5 : ff60000080244000 t6 : ff20000000a73708 | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003 | [] remove_pgd_mapping+0xbec/0x1070 | [] vmemmap_free+0x14/0x1e | [] section_deactivate+0x220/0x452 | [] sparse_remove_section+0x4a/0x58 | [] __remove_pages+0x7e/0xba | [] memunmap_pages+0x2bc/0x3fe | [] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm] | [] hmm_dmirror_exit+0x3e/0x1018 [test_hmm] | [] __riscv_sys_delete_module+0x15a/0x2a6 | [] do_trap_ecall_u+0x1f2/0x266 | [] _new_vmalloc_restore_context_a0+0xc6/0xd2 | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597 | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: Fatal exception in interrupt

Add a check to avoid calling the pmd dtor, if the calling context is vmemmap_free().

Show details on source website

To clipboard 

{
   affected: [],
   aliases: [
      "CVE-2024-56673",
   ],
   database_specific: {
      cwe_ids: [],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-12-27T15:15:27Z",
      severity: "MODERATE",
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Do not call pmd dtor on vmemmap page table teardown\n\nThe vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page\ntables are populated using pmd (page middle directory) hugetables.\nHowever, the pmd allocation is not using the generic mechanism used by\nthe VMA code (e.g. pmd_alloc()), or the RISC-V specific\ncreate_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table\ncode allocates a page, and calls vmemmap_set_pmd(). This results in\nthat the pmd ctor is *not* called, nor would it make sense to do so.\n\nNow, when tearing down a vmemmap page table pmd, the cleanup code\nwould unconditionally, and incorrectly call the pmd dtor, which\nresults in a crash (best case).\n\nThis issue was found when running the HMM selftests:\n\n  | tools/testing/selftests/mm# ./test_hmm.sh smoke\n  | ... # when unloading the test_hmm.ko module\n  | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b\n  | flags: 0x1000000000000000(node=0|zone=1)\n  | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000\n  | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n  | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)\n  | ------------[ cut here ]------------\n  | kernel BUG at include/linux/mm.h:3080!\n  | Kernel BUG [#1]\n  | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod\n  | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G        W          6.12.0-00982-gf2a4f1682d07 #2\n  | Tainted: [W]=WARN\n  | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024\n  | epc : remove_pgd_mapping+0xbec/0x1070\n  |  ra : remove_pgd_mapping+0xbec/0x1070\n  | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940\n  |  gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04\n  |  t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50\n  |  s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008\n  |  a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000\n  |  a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8\n  |  s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000\n  |  s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000\n  |  s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0\n  |  s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00\n  |  t5 : ff60000080244000 t6 : ff20000000a73708\n  | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003\n  | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070\n  | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e\n  | [<ffffffff8032e698>] section_deactivate+0x220/0x452\n  | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58\n  | [<ffffffff802f8700>] __remove_pages+0x7e/0xba\n  | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe\n  | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]\n  | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]\n  | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6\n  | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266\n  | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2\n  | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597\n  | ---[ end trace 0000000000000000 ]---\n  | Kernel panic - not syncing: Fatal exception in interrupt\n\nAdd a check to avoid calling the pmd dtor, if the calling context is\nvmemmap_free().",
   id: "GHSA-58c3-gqj2-fvq8",
   modified: "2025-01-06T15:30:59Z",
   published: "2024-12-27T15:31:56Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-56673",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/21f1b85c8912262adf51707e63614a114425eb10",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/344945806f2f7af68be98bac02836c867f223aa9",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
         type: "CVSS_V3",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.