CVE-2024-40915

{"id": "CVE-2024-40915", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-12T13:15:14.660", "references": [{"url": "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8661a7af04991201640863ad1a0983173f84b5eb", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/919f8626099d9909b9a9620b05e8c8ab06581876", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/d5257ceb19d92069195254866421f425aea42915", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/fb1cf0878328fe75d47f0aed0a65b30126fcefc4", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: rewrite __kernel_map_pages() to fix sleeping in invalid context\n\n__kernel_map_pages() is a debug function which clears the valid bit in page\ntable entry for deallocated pages to detect illegal memory accesses to\nfreed pages.\n\nThis function set/clear the valid bit using __set_memory(). __set_memory()\nacquires init_mm's semaphore, and this operation may sleep. This is\nproblematic, because __kernel_map_pages() can be called in atomic context,\nand thus is illegal to sleep. An example warning that this causes:\n\nBUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578\nin_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\npreempt_count: 2, expected: 0\nCPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[<ffffffff800060dc>] dump_backtrace+0x1c/0x24\n[<ffffffff8091ef6e>] show_stack+0x2c/0x38\n[<ffffffff8092baf8>] dump_stack_lvl+0x5a/0x72\n[<ffffffff8092bb24>] dump_stack+0x14/0x1c\n[<ffffffff8003b7ac>] __might_resched+0x104/0x10e\n[<ffffffff8003b7f4>] __might_sleep+0x3e/0x62\n[<ffffffff8093276a>] down_write+0x20/0x72\n[<ffffffff8000cf00>] __set_memory+0x82/0x2fa\n[<ffffffff8000d324>] __kernel_map_pages+0x5a/0xd4\n[<ffffffff80196cca>] __alloc_pages_bulk+0x3b2/0x43a\n[<ffffffff8018ee82>] __vmalloc_node_range+0x196/0x6ba\n[<ffffffff80011904>] copy_process+0x72c/0x17ec\n[<ffffffff80012ab4>] kernel_clone+0x60/0x2fe\n[<ffffffff80012f62>] kernel_thread+0x82/0xa0\n[<ffffffff8003552c>] kthreadd+0x14a/0x1be\n[<ffffffff809357de>] ret_from_fork+0xe/0x1c\n\nRewrite this function with apply_to_existing_page_range(). It is fine to\nnot have any locking, because __kernel_map_pages() works with pages being\nallocated/deallocated and those pages are not changed by anyone else in the\nmeantime."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: reescribe __kernel_map_pages() para arreglar el modo de dormir en un contexto no v\u00e1lido. __kernel_map_pages() es una funci\u00f3n de depuraci\u00f3n que borra el bit v\u00e1lido en la entrada de la tabla de p\u00e1ginas para p\u00e1ginas designadas para detectar accesos ilegales a la memoria de las p\u00e1ginas liberadas. Esta funci\u00f3n establece/borra el bit v\u00e1lido usando __set_memory(). __set_memory() adquiere el sem\u00e1foro de init_mm y esta operaci\u00f3n puede suspenderse. Esto es problem\u00e1tico, porque __kernel_map_pages() se puede llamar en un contexto at\u00f3mico y, por lo tanto, es ilegal dormir. Un ejemplo de advertencia de que esto causa: ERROR: funci\u00f3n inactiva llamada desde un contexto no v\u00e1lido en kernel/locking/rwsem.c:1578 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, nombre: kthreadd preempt_count: 2, esperado: 0 CPU: 0 PID: 2 Comm: kthreadd No contaminado 6.9.0-g1d4c6d784ef6 #37 Nombre de hardware: riscv-virtio,qemu (DT) Seguimiento de llamadas: [] dump_backtrace+0x1c/0x24 [] show_stack+0x2c/0x38 [] dump_stack_lvl+0x5a/0x72 [] dump_stack+0x14/0x1c [] __might_resched+0x104/0x10e [] __might_sleep+0x3e/0x62 [] down_write+0x20/0x72 [] __set_memory+0x82/0x2fa [] __kernel_map_pages+0x5a/0xd4 [] __alloc_pages_bulk+0x3b2/0x43a [] __vmalloc_node_range+0x196/0x6ba [] copy_process+0x72c/0x17ec [] kernel_clone+0x60/0x2fe [] kernel_thread+0x82/0xa0 [] kthreadd+0x14a/0x1be [] _from_fork+0xe/0x1c Reescribe esta funci\u00f3n con apply_to_existing_page_range(). Est\u00e1 bien no tener ning\u00fan bloqueo, porque __kernel_map_pages() funciona con p\u00e1ginas que se asignan/desasignan y, mientras tanto, nadie m\u00e1s cambia esas p\u00e1ginas."}], "lastModified": "2025-09-17T15:32:56.787", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4623BA67-BE0D-4507-9EDC-D54AB0EB2B7D", "versionEndExcluding": "6.1.95", "versionStartIncluding": "5.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F019D15-84C0-416B-8C57-7F51B68992F0", "versionEndExcluding": "6.6.35", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0ABBBA1D-F79D-4BDB-AA41-D1EDCC4A6975", "versionEndExcluding": "6.9.6", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}