CVE-2024-47674

mm: avoid leaving partial pfn mappings around in error case

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

mm: avoid leaving partial pfn mappings around in error case

As Jann points out, PFN mappings are special, because unlike normal
memory mappings, there is no lifetime information associated with the
mapping - it is just a raw mapping of PFNs with no reference counting of
a 'struct page'.

That's all very much intentional, but it does mean that it's easy to
mess up the cleanup in case of errors. Yes, a failed mmap() will always
eventually clean up any partial mappings, but without any explicit
lifetime in the page table mapping itself, it's very easy to do the
error handling in the wrong order.

In particular, it's easy to mistakenly free the physical backing store
before the page tables are actually cleaned up and (temporarily) have
stale dangling PTE entries.

To make this situation less error-prone, just make sure that any partial
pfn mapping is torn down early, before any other error handling.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: evitar dejar asignaciones pfn parciales en caso de error Como señala Jann, las asignaciones PFN son especiales, porque a diferencia de las asignaciones de memoria normales, no hay información de duración asociada con la asignación: es solo una asignación sin procesar de PFN sin recuento de referencias de una 'página de estructura'. Todo eso es muy intencional, pero significa que es fácil arruinar la limpieza en caso de errores. Sí, un mmap() fallido siempre limpiará eventualmente cualquier asignación parcial, pero sin ninguna duración explícita en la asignación de la tabla de páginas en sí, es muy fácil hacer el manejo de errores en el orden incorrecto. En particular, es fácil liberar por error el almacenamiento de respaldo físico antes de que las tablas de páginas se limpien realmente y (temporalmente) tengan entradas PTE colgantes obsoletas. Para hacer que esta situación sea menos propensa a errores, simplemente asegúrese de que cualquier asignación pfn parcial se elimine temprano, antes de cualquier otro manejo de errores.

An error path in usbdev_mmap() (where remap_pfn_range() fails midway through) frees pages before the PFN mapping pointing to those pages is cleaned up, making physical page use-after-free possible. Some other drivers look like they might have similar issues.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-30 CVE Reserved
2024-10-15 CVE Published
2024-10-19 EPSS Updated
2024-11-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://project-zero.issues.chromium.org/issues/366053091

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3213fdcab961026203dd587a4533600c70b3336b	2024-11-17
https://git.kernel.org/stable/c/35770ca6180caa24a2b258c99a87bd437a1ee10f	2024-11-08
https://git.kernel.org/stable/c/5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959	2024-10-17
https://git.kernel.org/stable/c/65d0db500d7c07f0f76fc24a4d837791c4862cd2	2024-09-18
https://git.kernel.org/stable/c/a95a24fcaee1b892e47d5e6dcc403f713874ee80	2024-09-18
https://git.kernel.org/stable/c/954fd4c81f22c4b6ba65379a81fd252971bf4ef3	2024-09-18
https://git.kernel.org/stable/c/79a61cc3fc0466ad2b7b89618a6157785f0293b3	2024-09-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.4.286 Search vendor "Linux" for product "Linux Kernel" and version " < 5.4.286"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.10.229 Search vendor "Linux" for product "Linux Kernel" and version " < 5.10.229"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.15.168 Search vendor "Linux" for product "Linux Kernel" and version " < 5.15.168"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.1.111 Search vendor "Linux" for product "Linux Kernel" and version " < 6.1.111"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.6.52 Search vendor "Linux" for product "Linux Kernel" and version " < 6.6.52"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.10.11 Search vendor "Linux" for product "Linux Kernel" and version " < 6.10.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.11 Search vendor "Linux" for product "Linux Kernel" and version " < 6.11"		en		Affected