CVE-2024-50066 – mm/mremap: fix move_normal_pmd/retract_page_tables race
https://notcve.org/view.php?id=CVE-2024-50066
In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix move_normal_pmd/retract_page_tables race In mremap(), move_page_tables() looks at the type of the PMD entry and the specified address range to figure out by which method the next chunk of page table entries should be moved. At that point, the mmap_lock is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, move_pgt_entry(NORMAL_PMD, ...) is called, which first takes rmap locks, then does move_normal_pmd(). move_normal_pmd() takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is: The rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it. So we can race as follows (with two processes that have mappings of the same tmpfs file that is stored on a tmpfs mount with huge=advise); note that process A accesses page tables through the MM while process B does it through the file rmap: process A process B ========= ========= mremap mremap_to move_vma move_page_tables get_old_pmd alloc_new_pmd *** PREEMPT *** madvise(MADV_COLLAPSE) do_madvise madvise_walk_vmas madvise_vma_behavior madvise_collapse hpage_collapse_scan_file collapse_file retract_page_tables i_mmap_lock_read(mapping) pmdp_collapse_flush i_mmap_unlock_read(mapping) move_pgt_entry(NORMAL_PMD, ...) take_rmap_locks move_normal_pmd drop_rmap_locks When this happens, move_normal_pmd() can end up creating bogus PMD entries in the line `pmd_populate(mm, new_pmd, pmd_pgtable(pmd))`. The effect depends on arch-specific and machine-specific details; on x86, you can end up with physical page 0 mapped as a page table, which is likely exploitable for user->kernel privilege escalation. Fix the race by letting process B recheck that the PMD still points to a page table after the rmap locks have been taken. Otherwise, we bail and let the caller fall back to the PTE-level copying path, which will then bail immediately at the pmd_none() check. Bug reachability: Reaching this bug requires that you can create shmem/file THP mappings - anonymous THP uses different code that doesn't zap stuff under rmap locks. File THP is gated on an experimental config flag (CONFIG_READ_ONLY_THP_FOR_FS), so on normal distro kernels you need shmem THP to hit this bug. • https://git.kernel.org/stable/c/1d65b771bc08cd054cf6d3766a72e113dc46d62f https://git.kernel.org/stable/c/17396e32f975130b3e6251f024c8807d192e4c3e https://git.kernel.org/stable/c/1552ce9ce8af47c0fe911682e5e1855e25851ca9 https://git.kernel.org/stable/c/6fa1066fc5d00cb9f1b0e83b7ff6ef98d26ba2aa https://project-zero.issues.chromium.org/issues/371047675 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2023-52919 – nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
https://notcve.org/view.php?id=CVE-2023-52919
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Handle memory allocation failure from nci_skb_alloc() (calling alloc_skb()) to avoid possible NULL pointer dereference. • https://git.kernel.org/stable/c/391d8a2da787257aeaf952c974405b53926e3fb3 https://git.kernel.org/stable/c/2b2edf089df3a69f0072c6e71563394c5a94e62e https://git.kernel.org/stable/c/5622592f8f74ae3e594379af02e64ea84772d0dd https://git.kernel.org/stable/c/76050b0cc5a72e0c7493287b7e18e1cb9e3c4612 https://git.kernel.org/stable/c/c95fa5b20fe03609e0894656fa43c18045b5097e https://git.kernel.org/stable/c/ffdc881f68073ff86bf21afb9bb954812e8278be https://git.kernel.org/stable/c/d7dbdbe3800a908eecd4975c31be47dd45e2104a https://git.kernel.org/stable/c/bb6cacc439ddd2cd51227ab193f4f91cf •
CVE-2023-52918 – media: pci: cx23885: check cx23885_vdev_init() return
https://notcve.org/view.php?id=CVE-2023-52918
In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: check cx23885_vdev_init() return cx23885_vdev_init() can return a NULL pointer, but that pointer is used in the next line without a check. Add a NULL pointer check and go to the error unwind if it is NULL. • https://git.kernel.org/stable/c/8e31b096e2e1949bc8f0be019c9ae70d414404c6 https://git.kernel.org/stable/c/199a42fc4c45e8b7f19efeb15dbc36889a599ac2 https://git.kernel.org/stable/c/e7385510e2550a9f8b6f3d5f33c5b894ab9ba976 https://git.kernel.org/stable/c/a5f1d30c51c485cec7a7de60205667c3ff86c303 https://git.kernel.org/stable/c/06ee04a907d64ee3910fecedd05d7f1be4b1b70e https://git.kernel.org/stable/c/b1397fb4a779fca560c43d2acf6702d41b4a495b https://git.kernel.org/stable/c/15126b916e39b0cb67026b0af3c014bfeb1f76b3 •
CVE-2022-48952 – PCI: mt7621: Add sentinel to quirks table
https://notcve.org/view.php?id=CVE-2022-48952
In the Linux kernel, the following vulnerability has been resolved: PCI: mt7621: Add sentinel to quirks table Current driver is missing a sentinel in the struct soc_device_attribute array, which causes an oops when assessed by the soc_device_match(mt7621_pcie_quirks_match) call. This was only exposed once the CONFIG_SOC_MT7621 mt7621 soc_dev_attr was fixed to register the SOC as a device, in: commit 7c18b64bba3b ("mips: ralink: mt7621: do not use kzalloc too early") Fix it by adding the required sentinel. • https://git.kernel.org/stable/c/b483b4e4d3f6bfd5089b9e6dc9ba259879c6ce6f https://git.kernel.org/stable/c/21fd877300b01d25c5807c327848fdc7c813cf0e https://git.kernel.org/stable/c/3e9c395ef2d52975b2c2894d2da09d6db2958bc6 https://git.kernel.org/stable/c/cb7323ece786f243f6d6ccf2e5b2b27b736bdc04 https://git.kernel.org/stable/c/a4997bae1b5b012c8a6e2643e26578a7bc2cae36 https://git.kernel.org/stable/c/19098934f910b4d47cb30251dd39ffa57bef9523 •
CVE-2022-48949 – igb: Initialize mailbox message for VF reset
https://notcve.org/view.php?id=CVE-2022-48949
In the Linux kernel, the following vulnerability has been resolved: igb: Initialize mailbox message for VF reset When a MAC address is not assigned to the VF, that portion of the message sent to the VF is not set. The memory, however, is allocated from the stack meaning that information may be leaked to the VM. Initialize the message buffer to 0 so that no information is passed to the VM in this case. • https://git.kernel.org/stable/c/6ddbc4cf1f4d5a3a58b4223c80881f299dae3774 https://git.kernel.org/stable/c/a6629659af3f5c6a91e3914ea62554c975ab77f4 https://git.kernel.org/stable/c/ef1d739dd1f362aec081278ff92f943c31eb177a https://git.kernel.org/stable/c/c581439a977545d61849a72e8ed631cfc8a2a3c1 https://git.kernel.org/stable/c/f2479c3daaabccbac6c343a737615d0c595c6dc4 https://git.kernel.org/stable/c/367e1e3399dbc56fc669740c4ab60e35da632b0e https://git.kernel.org/stable/c/51fd5ede7ed42f272682a0c33d6f0767b3484a3d https://git.kernel.org/stable/c/c383c7c35c7bc15e07a04eefa060a8a80 •