CVE-2024-27022

fork: defer linking file vma until vma is fully initialized

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

fork: defer linking file vma until vma is fully initialized

Thorvald reported a WARNING [1]. And the root cause is below race:

CPU 1 CPU 2
fork hugetlbfs_fallocate
dup_mmap hugetlbfs_punch_hole
i_mmap_lock_write(mapping);
vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.
i_mmap_unlock_write(mapping);
hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!
i_mmap_lock_write(mapping);
hugetlb_vmdelete_list
vma_interval_tree_foreach
hugetlb_vma_trylock_write -- Vma_lock is cleared.
tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!
hugetlb_vma_unlock_write -- Vma_lock is assigned!!!
i_mmap_unlock_write(mapping);

hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside
i_mmap_rwsem lock while vma lock can be used in the same time. Fix this
by deferring linking file vma until vma is fully initialized. Those vmas
should be initialized first before they can be used.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: fork: posponga la vinculación del archivo vma hasta que vma esté completamente inicializado. Thorvald informó una ADVERTENCIA [1]. Y la causa raíz está por debajo de la raza: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after: el vma secundario es visible a través del árbol i_mmap. i_mmap_unlock_write(mapeo); enormetlb_dup_vma_private: ¡borre vma_lock fuera de i_mmap_rwsem! i_mmap_lock_write(mapeo); Hugetlb_vmdelete_list vma_interval_tree_foreach Hugetlb_vma_trylock_write: Vma_lock está borrado. tmp->vm_ops->open - ¡Asigne nuevo vma_lock fuera de i_mmap_rwsem! enormetlb_vma_unlock_write - ¡¡¡Vma_lock está asignado!!! i_mmap_unlock_write(mapeo); Hugetlb_dup_vma_private() y hugetlb_vm_op_open() se llaman fuera del bloqueo i_mmap_rwsem, mientras que el bloqueo vma se puede utilizar al mismo tiempo. Solucione este problema posponiendo la vinculación del archivo vma hasta que vma esté completamente inicializado. Esos vmas deben inicializarse primero antes de poder usarlos.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-24 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-908: Use of Uninitialized Resource

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/8d9bfb2608145cf3e408428c224099e1585471af	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557	2024-05-02
https://git.kernel.org/stable/c/04b0c41912349aff11a1bbaef6a722bd7fbb90ac	2024-06-21
https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf	2024-05-02
https://git.kernel.org/stable/c/dd782da470761077f4d1120e191f1a35787cda6e	2024-06-21
https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34	2024-04-27
https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19	2024-04-16

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-27022	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2278252	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.90 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.90"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.6.30 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.30"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.8.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.9"		en		Affected