CVE-2024-35877

x86/mm/pat: fix VM_PAT handling in COW mappings

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

x86/mm/pat: fix VM_PAT handling in COW mappings

PAT handling won't do the right thing in COW mappings: the first PTE (or,
in fact, all PTEs) can be replaced during write faults to point at anon
folios. Reliably recovering the correct PFN and cachemode using
follow_phys() from PTEs will not work in COW mappings.

Using follow_phys(), we might just get the address+protection of the anon
folio (which is very wrong), or fail on swap/nonswap entries, failing
follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and
track_pfn_copy(), not properly calling free_pfn_range().

In free_pfn_range(), we either wouldn't call memtype_free() or would call
it with the wrong range, possibly leaking memory.

To fix that, let's update follow_phys() to refuse returning anon folios,
and fallback to using the stored PFN inside vma->vm_pgoff for COW mappings
if we run into that.

We will now properly handle untrack_pfn() with COW mappings, where we
don't need the cachemode. We'll have to fail fork()->track_pfn_copy() if
the first page was replaced by an anon folio, though: we'd have to store
the cachemode in the VMA to make this work, likely growing the VMA size.

For now, lets keep it simple and let track_pfn_copy() just fail in that
case: it would have failed in the past with swap/nonswap entries already,
and it would have done the wrong thing with anon folios.

Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():

<--- C reproducer --->
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <liburing.h>

int main(void)
{
struct io_uring_params p = {};
int ring_fd;
size_t size;
char *map;

ring_fd = io_uring_setup(1, &p);
if (ring_fd < 0) {
perror("io_uring_setup");
return 1;
}
size = p.sq_off.array + p.sq_entries * sizeof(unsigned);

/* Map the submission queue ring MAP_PRIVATE */
map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,
ring_fd, IORING_OFF_SQ_RING);
if (map == MAP_FAILED) {
perror("mmap");
return 1;
}

/* We have at least one page. Let's COW it. */
*map = 0;
pause();
return 0;
}
<--- C reproducer --->

On a system with 16 GiB RAM and swap configured:
# ./iouring &
# memhog 16G
# killall iouring
[ 301.552930] ------------[ cut here ]------------
[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100
[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g
[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1
[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4
[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100
[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000
[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282
[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047
[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200
[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000
[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000
[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000
[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000
[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0
[ 301.565725] PKRU: 55555554
[ 301.565944] Call Trace:
[ 301.566148] <TASK>
[ 301.566325] ? untrack_pfn+0xf4/0x100
[ 301.566618] ? __warn+0x81/0x130
[ 301.566876] ? untrack_pfn+0xf4/0x100
[ 3
---truncated---

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/mm/pat: corrige el manejo de VM_PAT en asignaciones COW El manejo de PAT no funcionará correctamente en las asignaciones COW: la primera PTE (o, de hecho, todas las PTE) pueden ser reemplazado durante fallos de escritura para señalar folios anónimos. Recuperar de manera confiable el PFN y el modo de caché correctos usando follow_phys() de las PTE no funcionará en las asignaciones COW. Usando follow_phys(), podríamos obtener la dirección+protección de la publicación anónima (lo cual es muy incorrecto), o fallar en las entradas de intercambio/no intercambio, fallando en follow_phys() y activando un WARN_ON_ONCE() en untrack_pfn() y track_pfn_copy() , no llamando correctamente a free_pfn_range(). En free_pfn_range(), no llamaríamos a memtype_free() o lo llamaríamos con el rango incorrecto, posiblemente perdiendo memoria. Para solucionarlo, actualicemos follow_phys() para rechazar la devolución de publicaciones anónimas y recurramos al uso del PFN almacenado dentro de vma->vm_pgoff para asignaciones COW si nos encontramos con eso. Ahora manejaremos adecuadamente untrack_pfn() con asignaciones COW, donde no necesitamos el modo caché. Sin embargo, tendremos que fallar fork()->track_pfn_copy() si la primera página fue reemplazada por una publicación anónima: tendríamos que almacenar el modo de caché en el VMA para que esto funcione, probablemente aumentando el tamaño del VMA. Por ahora, mantengámoslo simple y dejemos que track_pfn_copy() simplemente falle en ese caso: ya habría fallado en el pasado con entradas de intercambio/no intercambio, y habría hecho algo incorrecto con folios anónimos. Reproductor simple para activar WARN_ON_ONCE() en untrack_pfn(): <--- Reproductor C ---> #include #include #include #include int main(void) { struct io_uring_params p = {}; int anillo_fd; tamaño_t tamaño; carbón *mapa; ring_fd = io_uring_setup(1, &p); if (ring_fd < 0) { perror("io_uring_setup"); devolver 1; } tamaño = p.sq_off.array + p.sq_entries * tamaño de (sin firmar); /* Asigna el anillo de cola de envío MAP_PRIVATE */ map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE, ring_fd, IORING_OFF_SQ_RING); if (mapa == MAP_FAILED) { perror("mmap"); devolver 1; } /* Tenemos al menos una página. Vamos a acobardarnos. */ *mapa = 0; pausa(); devolver 0; } <--- Reproductor C ---> En un sistema con 16 GiB de RAM y swap configurado: # ./iouring & # memhog 16G # killall iouring [ 301.552930] ------------[ cut aquí ]------------ [ 301.553285] ADVERTENCIA: CPU: 7 PID: 1402 en arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100 [ 301.553989] Módulos vinculados en : binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g [ 301.558232] CPU: 7 PID: 1402 Comm: iouring No contaminado 6.7.5-100.fc38.x86_64 #1 [ 301.558772] Nombre del hardware: PC estándar QEMU (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4 [ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100 [ 301.559893] Código: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000 [ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282 [ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 455e047 [301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200 [301.562628] RBP: 0000000000000000 R08: 8 R09: 0000000000000000 [ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000 [ 301.563669] R13: 00000 R14: ffffba2c0377fc08 R15: 00000000000000000 [ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000 0 [301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0 [ 301.565725] KRU: 55555554 [ 301.565944] Seguimiento de llamadas: [ 301.566148] [ 301.566325] ? untrack_pfn+0xf4/0x100 [301.566618]? __advertir+0x81/0x130 [ 301.566876] ? untrack_pfn+0xf4/0x100 [ 3 ---truncado---

*Credits: N/A

CVSS Scores

Red Hatv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-17 CVE Reserved
2024-05-19 CVE Published
2024-05-20 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/5899329b19100c0b82dc78e9b21ed8b920c9ffb3	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b	2024-04-13
https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173	2024-04-13
https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4	2024-04-13
https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a	2024-04-13
https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f	2024-04-10
https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec	2024-04-10
https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6	2024-04-10
https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221	2024-04-05

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-35877	2024-09-24
https://bugzilla.redhat.com/show_bug.cgi?id=2281720	2024-09-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 4.19.312 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 4.19.312"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 5.15.155 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 5.15.155"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 6.1.85 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 6.1.85"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 6.6.26 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 6.6.26"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 6.8.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 6.8.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.29 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.29 < 6.9"		en		Affected