ghsa-cxf4-996m-v4m3
Vulnerability from github
Published
2024-07-12 15:31
Modified
2024-07-12 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context

__kernel_map_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages.

This function set/clear the valid bit using __set_memory(). __set_memory() acquires init_mm's semaphore, and this operation may sleep. This is problematic, because __kernel_map_pages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes:

BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd preempt_count: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] ret_from_fork+0xe/0x1c

Rewrite this function with apply_to_existing_page_range(). It is fine to not have any locking, because __kernel_map_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.

Show details on source website

To clipboard 

{
   affected: [],
   aliases: [
      "CVE-2024-40915",
   ],
   database_specific: {
      cwe_ids: [],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-07-12T13:15:14Z",
      severity: null,
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because  __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[<ffffffff800060dc>] dump_backtrace+0x1c/0x24\n[<ffffffff8091ef6e>] show_stack+0x2c/0x38\n[<ffffffff8092baf8>] dump_stack_lvl+0x5a/0x72\n[<ffffffff8092bb24>] dump_stack+0x14/0x1c\n[<ffffffff8003b7ac>] __might_resched+0x104/0x10e\n[<ffffffff8003b7f4>] __might_sleep+0x3e/0x62\n[<ffffffff8093276a>] down_write+0x20/0x72\n[<ffffffff8000cf00>] __set_memory+0x82/0x2fa\n[<ffffffff8000d324>] __kernel_map_pages+0x5a/0xd4\n[<ffffffff80196cca>] __alloc_pages_bulk+0x3b2/0x43a\n[<ffffffff8018ee82>] __vmalloc_node_range+0x196/0x6ba\n[<ffffffff80011904>] copy_process+0x72c/0x17ec\n[<ffffffff80012ab4>] kernel_clone+0x60/0x2fe\n[<ffffffff80012f62>] kernel_thread+0x82/0xa0\n[<ffffffff8003552c>] kthreadd+0x14a/0x1be\n[<ffffffff809357de>] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime.",
   id: "GHSA-cxf4-996m-v4m3",
   modified: "2024-07-12T15:31:27Z",
   published: "2024-07-12T15:31:27Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-40915",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4",
      },
   ],
   schema_version: "1.4.0",
   severity: [],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.