CVE-2024-36881
mm/userfaultfd: reset ptes when close() for wr-protected ones
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
mm/userfaultfd: reset ptes when close() for wr-protected ones
Userfaultfd unregister includes a step to remove wr-protect bits from all
the relevant pgtable entries, but that only covered an explicit
UFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover
that too. This fixes a WARN trace.
The only user visible side effect is the user can observe leftover
wr-protect bits even if the user close()ed on an userfaultfd when
releasing the last reference of it. However hopefully that should be
harmless, and nothing bad should happen even if so.
This change is now more important after the recent page-table-check
patch we merged in mm-unstable (446dd9ad37d0 ("mm/page_table_check:
support userfault wr-protect entries")), as we'll do sanity check on
uffd-wp bits without vma context. So it's better if we can 100%
guarantee no uffd-wp bit leftovers, to make sure each report will be
valid.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/userfaultfd: restablece ptes al cerrar() para los protegidos por wr. Userfaultfd unregister incluye un paso para eliminar los bits de wr-protect de todas las entradas relevantes de pgtable, pero eso solo cubre una UFFDIO_UNREGISTER ioctl explícito, no un close() en el propio userfaultfd. Cubre eso también. Esto corrige un rastro WARN. El único efecto secundario visible para el usuario es que puede observar los bits wr-protect sobrantes incluso si el usuario cerró () en un userfaultfd al liberar la última referencia del mismo. Sin embargo, es de esperar que eso sea inofensivo y, aun así, no debería pasar nada malo. Este cambio ahora es más importante después del reciente parche de verificación de tabla de páginas que fusionamos en mm-unstable (446dd9ad37d0 ("mm/page_table_check: admite entradas de protección wr de error de usuario")), ya que haremos una verificación de cordura en uffd-wp. bits sin contexto vma. Por lo tanto, es mejor si podemos garantizar al 100% que no queden restos de bits de uffd-wp, para asegurarnos de que cada informe sea válido.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-05-30 CVE Reserved
- 2024-05-30 CVE Published
- 2024-05-31 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/f369b07c861435bd812a9d14493f71b34132ed6f | Vuln. Introduced | |
| https://git.kernel.org/stable/c/3e2747c3ddfa717697c3cc2aa6ab989e48d6587d | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.6.31 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.6.31" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.8.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.8.10" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.0 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.0 < 6.9" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.19.6 Search vendor "Linux" for product "Linux Kernel" and version "5.19.6" | en |
Affected
| ||||||