CVE-2024-53096
Vulnerability from cvelistv5
Published
2024-11-25 21:17
Modified
2024-12-19 09:39
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: resolve faulty mmap_region() error path behaviour
The mmap_region() function is somewhat terrifying, with spaghetti-like
control flow and numerous means by which issues can arise and incomplete
state, memory leaks and other unpleasantness can occur.
A large amount of the complexity arises from trying to handle errors late
in the process of mapping a VMA, which forms the basis of recently
observed issues with resource leaks and observable inconsistent state.
Taking advantage of previous patches in this series we move a number of
checks earlier in the code, simplifying things by moving the core of the
logic into a static internal function __mmap_region().
Doing this allows us to perform a number of checks up front before we do
any real work, and allows us to unwind the writable unmap check
unconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE
validation unconditionally also.
We move a number of things here:
1. We preallocate memory for the iterator before we call the file-backed
memory hook, allowing us to exit early and avoid having to perform
complicated and error-prone close/free logic. We carefully free
iterator state on both success and error paths.
2. The enclosing mmap_region() function handles the mapping_map_writable()
logic early. Previously the logic had the mapping_map_writable() at the
point of mapping a newly allocated file-backed VMA, and a matching
mapping_unmap_writable() on success and error paths.
We now do this unconditionally if this is a file-backed, shared writable
mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however
doing so does not invalidate the seal check we just performed, and we in
any case always decrement the counter in the wrapper.
We perform a debug assert to ensure a driver does not attempt to do the
opposite.
3. We also move arch_validate_flags() up into the mmap_region()
function. This is only relevant on arm64 and sparc64, and the check is
only meaningful for SPARC with ADI enabled. We explicitly add a warning
for this arch if a driver invalidates this check, though the code ought
eventually to be fixed to eliminate the need for this.
With all of these measures in place, we no longer need to explicitly close
the VMA on error paths, as we place all checks which might fail prior to a
call to any driver mmap hook.
This eliminates an entire class of errors, makes the code easier to reason
about and more robust.
References
Impacted products
Vendor | Product | Version | |||||
---|---|---|---|---|---|---|---|
▼ | Linux | Linux |
Version: a3c08c021778dad30f69895e378843e9f423d734 Version: 43bed0a13a5cdbb314d14f28c2bf2c60eb4e6e1e Version: deb0f6562884b5b4beb883d73e66a7d3a1b96d99 Version: deb0f6562884b5b4beb883d73e66a7d3a1b96d99 Version: deb0f6562884b5b4beb883d73e66a7d3a1b96d99 |
||||
|
{ "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Linux", "programFiles": [ "mm/mmap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "lessThan": "43323a4e5b3f8ccc08e2f835abfdc7ee9da8f6ed", "status": "affected", "version": "a3c08c021778dad30f69895e378843e9f423d734", "versionType": "git" }, { "lessThan": "44f48eb9a6051826227bbd375446064fb2a43c6c", "status": "affected", "version": "43bed0a13a5cdbb314d14f28c2bf2c60eb4e6e1e", "versionType": "git" }, { "lessThan": "52c81fd0f5a8bf8032687b94ccf00d13b44cc5c8", "status": "affected", "version": "deb0f6562884b5b4beb883d73e66a7d3a1b96d99", "versionType": "git" }, { "lessThan": "bdc136e2b05fabcd780fe5f165d154eb779dfcb0", "status": "affected", "version": "deb0f6562884b5b4beb883d73e66a7d3a1b96d99", "versionType": "git" }, { "lessThan": "5de195060b2e251a835f622759550e6202167641", "status": "affected", "version": "deb0f6562884b5b4beb883d73e66a7d3a1b96d99", "versionType": "git" } ] }, { "defaultStatus": "affected", "product": "Linux", "programFiles": [ "mm/mmap.c" ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "versions": [ { "status": "affected", "version": "6.1" }, { "lessThan": "6.1", "status": "unaffected", "version": "0", "versionType": "semver" }, { "lessThanOrEqual": "5.10.*", "status": "unaffected", "version": "5.10.231", "versionType": "semver" }, { "lessThanOrEqual": "5.15.*", "status": "unaffected", "version": "5.15.174", "versionType": "semver" }, { "lessThanOrEqual": "6.1.*", "status": "unaffected", "version": "6.1.119", "versionType": "semver" }, { "lessThanOrEqual": "6.6.*", "status": "unaffected", "version": "6.6.63", "versionType": "semver" }, { "lessThanOrEqual": "*", "status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix" } ] } ], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: resolve faulty mmap_region() error path behaviour\n\nThe mmap_region() function is somewhat terrifying, with spaghetti-like\ncontrol flow and numerous means by which issues can arise and incomplete\nstate, memory leaks and other unpleasantness can occur.\n\nA large amount of the complexity arises from trying to handle errors late\nin the process of mapping a VMA, which forms the basis of recently\nobserved issues with resource leaks and observable inconsistent state.\n\nTaking advantage of previous patches in this series we move a number of\nchecks earlier in the code, simplifying things by moving the core of the\nlogic into a static internal function __mmap_region().\n\nDoing this allows us to perform a number of checks up front before we do\nany real work, and allows us to unwind the writable unmap check\nunconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE\nvalidation unconditionally also.\n\nWe move a number of things here:\n\n1. We preallocate memory for the iterator before we call the file-backed\n memory hook, allowing us to exit early and avoid having to perform\n complicated and error-prone close/free logic. We carefully free\n iterator state on both success and error paths.\n\n2. The enclosing mmap_region() function handles the mapping_map_writable()\n logic early. Previously the logic had the mapping_map_writable() at the\n point of mapping a newly allocated file-backed VMA, and a matching\n mapping_unmap_writable() on success and error paths.\n\n We now do this unconditionally if this is a file-backed, shared writable\n mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however\n doing so does not invalidate the seal check we just performed, and we in\n any case always decrement the counter in the wrapper.\n\n We perform a debug assert to ensure a driver does not attempt to do the\n opposite.\n\n3. We also move arch_validate_flags() up into the mmap_region()\n function. This is only relevant on arm64 and sparc64, and the check is\n only meaningful for SPARC with ADI enabled. We explicitly add a warning\n for this arch if a driver invalidates this check, though the code ought\n eventually to be fixed to eliminate the need for this.\n\nWith all of these measures in place, we no longer need to explicitly close\nthe VMA on error paths, as we place all checks which might fail prior to a\ncall to any driver mmap hook.\n\nThis eliminates an entire class of errors, makes the code easier to reason\nabout and more robust." } ], "providerMetadata": { "dateUpdated": "2024-12-19T09:39:04.843Z", "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux" }, "references": [ { "url": "https://git.kernel.org/stable/c/43323a4e5b3f8ccc08e2f835abfdc7ee9da8f6ed" }, { "url": "https://git.kernel.org/stable/c/44f48eb9a6051826227bbd375446064fb2a43c6c" }, { "url": "https://git.kernel.org/stable/c/52c81fd0f5a8bf8032687b94ccf00d13b44cc5c8" }, { "url": "https://git.kernel.org/stable/c/bdc136e2b05fabcd780fe5f165d154eb779dfcb0" }, { "url": "https://git.kernel.org/stable/c/5de195060b2e251a835f622759550e6202167641" }, { "url": "https://project-zero.issues.chromium.org/issues/374117290" } ], "title": "mm: resolve faulty mmap_region() error path behaviour", "x_generator": { "engine": "bippy-5f407fcff5a0" } } }, "cveMetadata": { "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "assignerShortName": "Linux", "cveId": "CVE-2024-53096", "datePublished": "2024-11-25T21:17:48.691Z", "dateReserved": "2024-11-19T17:17:24.983Z", "dateUpdated": "2024-12-19T09:39:04.843Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-53096\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-25T22:15:15.287\",\"lastModified\":\"2024-12-18T07:15:07.993\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: resolve faulty mmap_region() error path behaviour\\n\\nThe mmap_region() function is somewhat terrifying, with spaghetti-like\\ncontrol flow and numerous means by which issues can arise and incomplete\\nstate, memory leaks and other unpleasantness can occur.\\n\\nA large amount of the complexity arises from trying to handle errors late\\nin the process of mapping a VMA, which forms the basis of recently\\nobserved issues with resource leaks and observable inconsistent state.\\n\\nTaking advantage of previous patches in this series we move a number of\\nchecks earlier in the code, simplifying things by moving the core of the\\nlogic into a static internal function __mmap_region().\\n\\nDoing this allows us to perform a number of checks up front before we do\\nany real work, and allows us to unwind the writable unmap check\\nunconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE\\nvalidation unconditionally also.\\n\\nWe move a number of things here:\\n\\n1. We preallocate memory for the iterator before we call the file-backed\\n memory hook, allowing us to exit early and avoid having to perform\\n complicated and error-prone close/free logic. We carefully free\\n iterator state on both success and error paths.\\n\\n2. The enclosing mmap_region() function handles the mapping_map_writable()\\n logic early. Previously the logic had the mapping_map_writable() at the\\n point of mapping a newly allocated file-backed VMA, and a matching\\n mapping_unmap_writable() on success and error paths.\\n\\n We now do this unconditionally if this is a file-backed, shared writable\\n mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however\\n doing so does not invalidate the seal check we just performed, and we in\\n any case always decrement the counter in the wrapper.\\n\\n We perform a debug assert to ensure a driver does not attempt to do the\\n opposite.\\n\\n3. We also move arch_validate_flags() up into the mmap_region()\\n function. This is only relevant on arm64 and sparc64, and the check is\\n only meaningful for SPARC with ADI enabled. We explicitly add a warning\\n for this arch if a driver invalidates this check, though the code ought\\n eventually to be fixed to eliminate the need for this.\\n\\nWith all of these measures in place, we no longer need to explicitly close\\nthe VMA on error paths, as we place all checks which might fail prior to a\\ncall to any driver mmap hook.\\n\\nThis eliminates an entire class of errors, makes the code easier to reason\\nabout and more robust.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: resolver el comportamiento defectuoso de la ruta de error mmap_region() La funci\u00f3n mmap_region() es algo aterradora, con un flujo de control tipo espagueti y numerosos medios por los cuales pueden surgir problemas y pueden ocurrir estados incompletos, fugas de memoria y otras cosas desagradables. Una gran parte de la complejidad surge de intentar manejar errores tarde en el proceso de mapeo de un VMA, que forma la base de los problemas observados recientemente con fugas de recursos y estado inconsistente observable. Aprovechando los parches anteriores de esta serie, movemos una serie de verificaciones antes en el c\u00f3digo, simplificando las cosas al mover el n\u00facleo de la l\u00f3gica a una funci\u00f3n interna est\u00e1tica __mmap_region(). Hacer esto nos permite realizar una serie de verificaciones por adelantado antes de hacer cualquier trabajo real, y nos permite desenrollar la verificaci\u00f3n de desasignaci\u00f3n escribible incondicionalmente seg\u00fan sea necesario y realizar una validaci\u00f3n CONFIG_DEBUG_VM_MAPLE_TREE incondicionalmente tambi\u00e9n. Aqu\u00ed movemos una serie de cosas: 1. Preasignamos memoria para el iterador antes de llamar al gancho de memoria respaldado por archivo, lo que nos permite salir antes y evitar tener que realizar una l\u00f3gica de cierre/liberaci\u00f3n complicada y propensa a errores. Liberamos cuidadosamente el estado del iterador tanto en las rutas de \u00e9xito como de error. 2. La funci\u00f3n mmap_region() que lo encierra maneja la l\u00f3gica mapping_map_writable() de forma temprana. Anteriormente, la l\u00f3gica ten\u00eda mapping_map_writable() en el punto de mapeo de un VMA respaldado por archivo recientemente asignado y un mapping_unmap_writable() coincidente en las rutas de \u00e9xito y error. Ahora hacemos esto incondicionalmente si se trata de un mapeo compartido escribible respaldado por archivo. Sin embargo, si un controlador cambia los indicadores para eliminar VM_MAYWRITE, al hacerlo no invalida la verificaci\u00f3n de sello que acabamos de realizar y, en cualquier caso, siempre decrementamos el contador en el contenedor. Realizamos una aserci\u00f3n de depuraci\u00f3n para asegurarnos de que un controlador no intente hacer lo contrario. 3. Tambi\u00e9n trasladamos arch_validate_flags() a la funci\u00f3n mmap_region(). Esto solo es relevante en arm64 y sparc64, y la comprobaci\u00f3n solo es significativa para SPARC con ADI habilitado. Agregamos expl\u00edcitamente una advertencia para esta arquitectura si un controlador invalida esta comprobaci\u00f3n, aunque el c\u00f3digo deber\u00eda corregirse eventualmente para eliminar la necesidad de esto. Con todas estas medidas implementadas, ya no necesitamos cerrar expl\u00edcitamente el VMA en las rutas de error, ya que colocamos todas las comprobaciones que podr\u00edan fallar antes de una llamada a cualquier gancho mmap del controlador. Esto elimina una clase completa de errores, hace que el c\u00f3digo sea m\u00e1s f\u00e1cil de razonar y m\u00e1s robusto.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/43323a4e5b3f8ccc08e2f835abfdc7ee9da8f6ed\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/44f48eb9a6051826227bbd375446064fb2a43c6c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/52c81fd0f5a8bf8032687b94ccf00d13b44cc5c8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5de195060b2e251a835f622759550e6202167641\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bdc136e2b05fabcd780fe5f165d154eb779dfcb0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://project-zero.issues.chromium.org/issues/374117290\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.