// For flags

CVE-2024-50140

sched/core: Disable page allocation in task_tick_mm_cid()

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

sched/core: Disable page allocation in task_tick_mm_cid()

With KASAN and PREEMPT_RT enabled, calling task_work_add() in
task_tick_mm_cid() may cause the following splat.

[ 63.696416] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
[ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe
[ 63.696416] preempt_count: 10001, expected: 0
[ 63.696416] RCU nest depth: 1, expected: 1

This problem is caused by the following call trace.

sched_tick() [ acquire rq->__lock ]
-> task_tick_mm_cid()
-> task_work_add()
-> __kasan_record_aux_stack()
-> kasan_save_stack()
-> stack_depot_save_flags()
-> alloc_pages_mpol_noprof()
-> __alloc_pages_noprof()
-> get_page_from_freelist()
-> rmqueue()
-> rmqueue_pcplist()
-> __rmqueue_pcplist()
-> rmqueue_bulk()
-> rt_spin_lock()

The rq lock is a raw_spinlock_t. We can't sleep while holding
it. IOW, we can't call alloc_pages() in stack_depot_save_flags().

The task_tick_mm_cid() function with its task_work_add() call was
introduced by commit 223baf9d17f2 ("sched: Fix performance regression
introduced by mm_cid") in v6.4 kernel.

Fortunately, there is a kasan_record_aux_stack_noalloc() variant that
calls stack_depot_save_flags() while not allowing it to allocate
new pages. To allow task_tick_mm_cid() to use task_work without
page allocation, a new TWAF_NO_ALLOC flag is added to enable calling
kasan_record_aux_stack_noalloc() instead of kasan_record_aux_stack()
if set. The task_tick_mm_cid() function is modified to add this new flag.

The possible downside is the missing stack trace in a KASAN report due
to new page allocation required when task_work_add_noallloc() is called
which should be rare.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sched/core: Deshabilitar la asignación de páginas en task_tick_mm_cid() Con KASAN y PREEMPT_RT habilitados, llamar a task_work_add() en task_tick_mm_cid() puede causar el siguiente splat. [ 63.696416] ERROR: función inactiva llamada desde un contexto no válido en kernel/locking/spinlock_rt.c:48 [ 63.696416] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 610, name: modprobe [ 63.696416] preempt_count: 10001, esperado: 0 [ 63.696416] Profundidad de anidación de RCU: 1, esperado: 1 Este problema es causado por el siguiente seguimiento de llamada. sched_tick() [ adquirir rq->__lock ] -> task_tick_mm_cid() -> task_work_add() -> __kasan_record_aux_stack() -> kasan_save_stack() -> stack_depot_save_flags() -> alloc_pages_mpol_noprof() -> __alloc_pages_noprof() -> get_page_from_freelist() -> rmqueue() -> rmqueue_pcplist() -> __rmqueue_pcplist() -> rmqueue_bulk() -> rt_spin_lock() El bloqueo rq es un raw_spinlock_t. No podemos dormir mientras lo mantenemos. Es decir, no podemos llamar a alloc_pages() en stack_depot_save_flags(). La función task_tick_mm_cid() con su llamada task_work_add() fue introducida por el commit 223baf9d17f2 ("sched: Fix performance regression presented by mm_cid") en el kernel v6.4. Afortunadamente, hay una variante kasan_record_aux_stack_noalloc() que llama a stack_depot_save_flags() pero no le permite asignar nuevas páginas. Para permitir que task_tick_mm_cid() use task_work sin asignación de páginas, se agrega un nuevo indicador TWAF_NO_ALLOC para habilitar la llamada a kasan_record_aux_stack_noalloc() en lugar de kasan_record_aux_stack() si está configurado. La función task_tick_mm_cid() se modifica para agregar este nuevo indicador. La posible desventaja es la falta de seguimiento de pila en un informe KASAN debido a la nueva asignación de página requerida cuando se llama a task_work_add_noallloc(), lo que debería ser poco común.

*Credits: N/A
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-10-21 CVE Reserved
  • 2024-11-07 CVE Published
  • 2024-11-07 CVE Updated
  • ---------- EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.4 < 6.6.59
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.6.59"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.4 < 6.11.6
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.11.6"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 6.4 < 6.12-rc4
Search vendor "Linux" for product "Linux Kernel" and version " >= 6.4 < 6.12-rc4"
en
Affected