CVE-2024-42317

{"id": "CVE-2024-42317", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-17T09:15:11.633", "references": [{"url": "https://git.kernel.org/stable/c/d659b715e94ac039803d7601505d3473393fc0be", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e60f62f75c99740a28e2bf7e6044086033012a16", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: avoid PMD-size page cache if needed\n\nxarray can't support arbitrary page cache size. the largest and supported\npage cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71\n(\"mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\"). However,\nit's possible to have 512MB page cache in the huge memory's collapsing\npath on ARM64 system whose base page size is 64KB. 512MB page cache is\nbreaking the limitation and a warning is raised when the xarray entry is\nsplit as shown in the following example.\n\n[root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize\nKernelPageSize: 64 kB\n[root@dhcp-10-26-1-207 ~]# cat /tmp/test.c\n :\nint main(int argc, char **argv)\n{\n\tconst char *filename = TEST_XFS_FILENAME;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret = 0;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stdout, \"System with 64KB base page size is required!\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open the xfs file */\n\tfd = open(filename, O_RDONLY);\n\tassert(fd > 0);\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0);\n\tassert(buf != (void *)-1);\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ);\n\tassert(ret == 0);\n\n\t/* Collapse VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE);\n\tif (ret) {\n\t\tfprintf(stdout, \"Error %d to madvise(MADV_COLLAPSE)\\n\", errno);\n\t\tgoto out;\n\t}\n\n\t/* Split xarray entry. Write permission is needed */\n\tmunmap(buf, TEST_MEM_SIZE);\n\tbuf = (void *)-1;\n\tclose(fd);\n\tfd = open(filename, O_RDWR);\n\tassert(fd > 0);\n\tfallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\t TEST_MEM_SIZE - pgsize, pgsize);\nout:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn ret;\n}\n\n[root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test\n[root@dhcp-10-26-1-207 ~]# /tmp/test\n ------------[ cut here ]------------\n WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\n Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\n nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\n nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\n ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \\\n xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \\\n sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio\n CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9\n Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\n pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n pc : xas_split_alloc+0xf8/0x128\n lr : split_huge_page_to_list_to_order+0x1c4/0x780\n sp : ffff8000ac32f660\n x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0\n x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d\n x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c\n x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8\n x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40\n x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\n Call trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x780\n truncate_inode_partial_folio+0xdc/0x160\n truncate_inode_pages_range+0x1b4/0x4a8\n truncate_pagecache_range+0x84/0xa\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mm/huge_memory: evite el cach\u00e9 de p\u00e1ginas de tama\u00f1o PMD si es necesario. xarray no puede admitir un tama\u00f1o de cach\u00e9 de p\u00e1ginas arbitrario. el tama\u00f1o de cach\u00e9 de p\u00e1gina m\u00e1s grande y admitido se define como MAX_PAGECACHE_ORDER mediante el commit 099d90642a71 (\"mm/filemap: hacer que MAX_PAGECACHE_ORDER sea aceptable para xarray\"). Sin embargo, es posible tener una cach\u00e9 de p\u00e1gina de 512 MB en la ruta de colapso de la enorme memoria en un sistema ARM64 cuyo tama\u00f1o de p\u00e1gina base es de 64 KB. La cach\u00e9 de p\u00e1gina de 512 MB supera la limitaci\u00f3n y aparece una advertencia cuando la entrada de xarray se divide como se muestra en el siguiente ejemplo. [root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize KernelPageSize: 64 kB [root@dhcp-10-26-1-207 ~]# cat /tmp/test.c : int main(int argc, char **argv) { const char *filename = TEST_XFS_FILENAME; intfd = 0; vac\u00edo *buf = (vac\u00edo *)-1, *p; int pgsize = getpagesize(); int ret = 0; if (pgsize != 0x10000) { fprintf(stdout, \"\u00a1Se requiere un sistema con un tama\u00f1o de p\u00e1gina base de 64 KB!\\n\"); devolver -EPERM; } system(\"echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb\"); sistema(\"echo 1 > /proc/sys/vm/drop_caches\"); /* Abrir el archivo xfs */ fd = open(nombre de archivo, O_RDONLY); afirmar(fd > 0); /* Crear VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0); afirmar(buf != (void *)-1); fprintf(stdout, \"b\u00fafer asignado en 0x%p\\n\", buf); /* Completar VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE); afirmar(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ); afirmar(ret == 0); /* Contraer VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); afirmar(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE); if (ret) { fprintf(stdout, \"Error %d en madvise(MADV_COLLAPSE)\\n\", errno); salir; } /* Dividir entrada de matriz x. Se necesita permiso de escritura */ munmap(buf, TEST_MEM_SIZE); buf = (nulo *)-1; cerrar(fd); fd = open(nombre de archivo, O_RDWR); afirmar(fd > 0); fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - tama\u00f1o de p\u00e1gina, tama\u00f1o de p\u00e1gina); salida: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); si (fd > 0) cerrar(fd); volver atr\u00e1s; } [root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test [root@dhcp-10-26-1-207 ~]# /tmp/test -- ----------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 25 PID: 7560 en lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 M\u00f3dulos vinculados en : nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\ _set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \\ xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \\ sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio CPU: 25 PID: 7560 Comm : prueba Kdump: cargado No contaminado 6.10.0-rc7-gavin+ #9 Nombre del hardware: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 24/05/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO + DIT -SSBS BTYPE=--) pc: xas_split_alloc+0xf8/0x128 lr: split_huge_page_to_list_to_order+0x1c4/0x780 sp: ffff8000ac32f660 x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: 000ac32f6c0 x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21 : 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000 x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffffffffffffc0 x10: 0000000000000040 x9: 08e692c x8: 0000000000000003 x7: 0000000000000000 x6: ffff0000e0969eb8 x5: ffffd5f37289e378 x4: 0000000000000000 x3: 0000000000000c40 x2: 000000000000000d x1: 000000000000000c x0: 0000000000000000 Rastreo de llamadas: xas_split_alloc+0xf8/0x128 ---truncado---"}], "lastModified": "2025-10-07T20:24:54.863", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC0BACAC-D58B-4B99-949A-568C3CE31613", "versionEndExcluding": "6.10.3", "versionStartIncluding": "5.17"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}