CVE-2024-53111
Vulnerability from cvelistv5
Published
2024-12-02 13:44
Modified
2024-12-19 09:39
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/mremap: fix address wraparound in move_page_tables() On 32-bit platforms, it is possible for the expression `len + old_addr < old_end` to be false-positive if `len + old_addr` wraps around. `old_addr` is the cursor in the old range up to which page table entries have been moved; so if the operation succeeded, `old_addr` is the *end* of the old region, and adding `len` to it can wrap. The overflow causes mremap() to mistakenly believe that PTEs have been copied; the consequence is that mremap() bails out, but doesn't move the PTEs back before the new VMA is unmapped, causing anonymous pages in the region to be lost. So basically if userspace tries to mremap() a private-anon region and hits this bug, mremap() will return an error and the private-anon region's contents appear to have been zeroed. The idea of this check is that `old_end - len` is the original start address, and writing the check that way also makes it easier to read; so fix the check by rearranging the comparison accordingly. (An alternate fix would be to refactor this function by introducing an "orig_old_start" variable or such.) Tested in a VM with a 32-bit X86 kernel; without the patch: ``` user@horn:~/big_mremap$ cat test.c #define _GNU_SOURCE #include <stdlib.h> #include <stdio.h> #include <err.h> #include <sys/mman.h> #define ADDR1 ((void*)0x60000000) #define ADDR2 ((void*)0x10000000) #define SIZE 0x50000000uL int main(void) { unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); if (p1 == MAP_FAILED) err(1, "mmap 1"); unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); if (p2 == MAP_FAILED) err(1, "mmap 2"); *p1 = 0x41; printf("first char is 0x%02hhx\n", *p1); unsigned char *p3 = mremap(p1, SIZE, SIZE, MREMAP_MAYMOVE|MREMAP_FIXED, p2); if (p3 == MAP_FAILED) { printf("mremap() failed; first char is 0x%02hhx\n", *p1); } else { printf("mremap() succeeded; first char is 0x%02hhx\n", *p3); } } user@horn:~/big_mremap$ gcc -static -o test test.c user@horn:~/big_mremap$ setarch -R ./test first char is 0x41 mremap() failed; first char is 0x00 ``` With the patch: ``` user@horn:~/big_mremap$ setarch -R ./test first char is 0x41 mremap() succeeded; first char is 0x41 ```
Impacted products
Vendor Product Version
Linux Linux Version: 6.7
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/mremap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "909543dc279a91122fb08e4653a72b82f0ad28f4",
              "status": "affected",
              "version": "af8ca1c149069176e6322a77b532e3ffd99ccffe",
              "versionType": "git"
            },
            {
              "lessThan": "a4a282daf1a190f03790bf163458ea3c8d28d217",
              "status": "affected",
              "version": "af8ca1c149069176e6322a77b532e3ffd99ccffe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/mremap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix address wraparound in move_page_tables()\n\nOn 32-bit platforms, it is possible for the expression `len + old_addr \u003c\nold_end` to be false-positive if `len + old_addr` wraps around. \n`old_addr` is the cursor in the old range up to which page table entries\nhave been moved; so if the operation succeeded, `old_addr` is the *end* of\nthe old region, and adding `len` to it can wrap.\n\nThe overflow causes mremap() to mistakenly believe that PTEs have been\ncopied; the consequence is that mremap() bails out, but doesn\u0027t move the\nPTEs back before the new VMA is unmapped, causing anonymous pages in the\nregion to be lost.  So basically if userspace tries to mremap() a\nprivate-anon region and hits this bug, mremap() will return an error and\nthe private-anon region\u0027s contents appear to have been zeroed.\n\nThe idea of this check is that `old_end - len` is the original start\naddress, and writing the check that way also makes it easier to read; so\nfix the check by rearranging the comparison accordingly.\n\n(An alternate fix would be to refactor this function by introducing an\n\"orig_old_start\" variable or such.)\n\n\nTested in a VM with a 32-bit X86 kernel; without the patch:\n\n```\nuser@horn:~/big_mremap$ cat test.c\n#define _GNU_SOURCE\n#include \u003cstdlib.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cerr.h\u003e\n#include \u003csys/mman.h\u003e\n\n#define ADDR1 ((void*)0x60000000)\n#define ADDR2 ((void*)0x10000000)\n#define SIZE          0x50000000uL\n\nint main(void) {\n  unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE,\n      MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n  if (p1 == MAP_FAILED)\n    err(1, \"mmap 1\");\n  unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE,\n      MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n  if (p2 == MAP_FAILED)\n    err(1, \"mmap 2\");\n  *p1 = 0x41;\n  printf(\"first char is 0x%02hhx\\n\", *p1);\n  unsigned char *p3 = mremap(p1, SIZE, SIZE,\n      MREMAP_MAYMOVE|MREMAP_FIXED, p2);\n  if (p3 == MAP_FAILED) {\n    printf(\"mremap() failed; first char is 0x%02hhx\\n\", *p1);\n  } else {\n    printf(\"mremap() succeeded; first char is 0x%02hhx\\n\", *p3);\n  }\n}\nuser@horn:~/big_mremap$ gcc -static -o test test.c\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() failed; first char is 0x00\n```\n\nWith the patch:\n\n```\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() succeeded; first char is 0x41\n```"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:39:27.201Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/909543dc279a91122fb08e4653a72b82f0ad28f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4a282daf1a190f03790bf163458ea3c8d28d217"
        }
      ],
      "title": "mm/mremap: fix address wraparound in move_page_tables()",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53111",
    "datePublished": "2024-12-02T13:44:43.478Z",
    "dateReserved": "2024-11-19T17:17:24.993Z",
    "dateUpdated": "2024-12-19T09:39:27.201Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53111\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-12-02T14:15:11.903\",\"lastModified\":\"2024-12-11T20:27:04.360\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/mremap: fix address wraparound in move_page_tables()\\n\\nOn 32-bit platforms, it is possible for the expression `len + old_addr \u003c\\nold_end` to be false-positive if `len + old_addr` wraps around. \\n`old_addr` is the cursor in the old range up to which page table entries\\nhave been moved; so if the operation succeeded, `old_addr` is the *end* of\\nthe old region, and adding `len` to it can wrap.\\n\\nThe overflow causes mremap() to mistakenly believe that PTEs have been\\ncopied; the consequence is that mremap() bails out, but doesn\u0027t move the\\nPTEs back before the new VMA is unmapped, causing anonymous pages in the\\nregion to be lost.  So basically if userspace tries to mremap() a\\nprivate-anon region and hits this bug, mremap() will return an error and\\nthe private-anon region\u0027s contents appear to have been zeroed.\\n\\nThe idea of this check is that `old_end - len` is the original start\\naddress, and writing the check that way also makes it easier to read; so\\nfix the check by rearranging the comparison accordingly.\\n\\n(An alternate fix would be to refactor this function by introducing an\\n\\\"orig_old_start\\\" variable or such.)\\n\\n\\nTested in a VM with a 32-bit X86 kernel; without the patch:\\n\\n```\\nuser@horn:~/big_mremap$ cat test.c\\n#define _GNU_SOURCE\\n#include \u003cstdlib.h\u003e\\n#include \u003cstdio.h\u003e\\n#include \u003cerr.h\u003e\\n#include \u003csys/mman.h\u003e\\n\\n#define ADDR1 ((void*)0x60000000)\\n#define ADDR2 ((void*)0x10000000)\\n#define SIZE          0x50000000uL\\n\\nint main(void) {\\n  unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE,\\n      MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\\n  if (p1 == MAP_FAILED)\\n    err(1, \\\"mmap 1\\\");\\n  unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE,\\n      MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\\n  if (p2 == MAP_FAILED)\\n    err(1, \\\"mmap 2\\\");\\n  *p1 = 0x41;\\n  printf(\\\"first char is 0x%02hhx\\\\n\\\", *p1);\\n  unsigned char *p3 = mremap(p1, SIZE, SIZE,\\n      MREMAP_MAYMOVE|MREMAP_FIXED, p2);\\n  if (p3 == MAP_FAILED) {\\n    printf(\\\"mremap() failed; first char is 0x%02hhx\\\\n\\\", *p1);\\n  } else {\\n    printf(\\\"mremap() succeeded; first char is 0x%02hhx\\\\n\\\", *p3);\\n  }\\n}\\nuser@horn:~/big_mremap$ gcc -static -o test test.c\\nuser@horn:~/big_mremap$ setarch -R ./test\\nfirst char is 0x41\\nmremap() failed; first char is 0x00\\n```\\n\\nWith the patch:\\n\\n```\\nuser@horn:~/big_mremap$ setarch -R ./test\\nfirst char is 0x41\\nmremap() succeeded; first char is 0x41\\n```\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/mremap: se corrige el envoltorio de direcciones en move_page_tables() En plataformas de 32 bits, es posible que la expresi\u00f3n `len + old_addr \u0026lt; old_end` sea un falso positivo si `len + old_addr` realiza un envoltorio. `old_addr` es el cursor en el rango antiguo hasta el cual se han movido las entradas de la tabla de p\u00e1ginas; por lo que si la operaci\u00f3n tuvo \u00e9xito, `old_addr` es el *final* de la regi\u00f3n antigua, y agregarle `len` puede realizar un envoltorio. El desbordamiento hace que mremap() crea err\u00f3neamente que se han copiado las PTE; la consecuencia es que mremap() se retira, pero no mueve las PTE de nuevo antes de que se desasigne el nuevo VMA, lo que provoca que se pierdan las p\u00e1ginas an\u00f3nimas en la regi\u00f3n. B\u00e1sicamente, si el espacio de usuario intenta ejecutar mremap() en una regi\u00f3n privada-anon y encuentra este error, mremap() devolver\u00e1 un error y el contenido de la regi\u00f3n privada-anon parecer\u00e1 haber sido puesto a cero. La idea de esta comprobaci\u00f3n es que `old_end - len` sea la direcci\u00f3n de inicio original, y escribir la comprobaci\u00f3n de esa manera tambi\u00e9n facilita la lectura; por lo tanto, arregle la comprobaci\u00f3n reorganizando la comparaci\u00f3n en consecuencia. (Un workaround ser\u00eda refactorizar esta funci\u00f3n introduciendo una variable \\\"orig_old_start\\\" o algo similar). Probado en una m\u00e1quina virtual con un n\u00facleo X86 de 32 bits; sin el parche: ``` usuario@horn:~/big_mremap$ cat test.c #define _GNU_SOURCE #include  #include  #include  #include  #define ADDR1 ((void*)0x60000000) #define ADDR2 ((void*)0x10000000) #define SIZE 0x50000000uL int main(void) { unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); if (p1 == MAP_FAILED) err(1, \\\"mmap 1\\\"); car\u00e1cter sin signo *p2 = mmap(ADDR2, SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0); si (p2 == MAP_FAILED) err(1, \\\"mmap 2\\\"); *p1 = 0x41; printf(\\\"el primer car\u00e1cter es 0x%02hhx\\\\n\\\", *p1); car\u00e1cter sin signo *p3 = mremap(p1, SIZE, SIZE, MREMAP_MAYMOVE|MREMAP_FIXED, p2); si (p3 == MAP_FAILED) { printf(\\\"mremap() fall\u00f3; el primer car\u00e1cter es 0x%02hhx\\\\n\\\", *p1); } de lo contrario { printf(\\\"mremap() tuvo \u00e9xito; el primer car\u00e1cter es 0x%02hhx\\\\n\\\", *p3); } } usuario@horn:~/big_mremap$ gcc -static -o test test.c usuario@horn:~/big_mremap$ setarch -R ./test el primer car\u00e1cter es 0x41 mremap() fall\u00f3; el primer car\u00e1cter es 0x00 ``` Con el parche: ``` usuario@horn:~/big_mremap$ setarch -R ./test el primer car\u00e1cter es 0x41 mremap() tuvo \u00e9xito; el primer car\u00e1cter es 0x41 ```\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.10\",\"matchCriteriaId\":\"C256F46A-AFDD-4B99-AA4F-67D9D9D2C55A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C95E234-D335-4B6C-96BF-E2CEBD8654ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F717D8-3014-4F84-8086-0124B2111379\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"24DBE6C7-2AAE-4818-AED2-E131F153D2FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"24B88717-53F5-42AA-9B72-14C707639E3F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"1EF8CD82-1EAE-4254-9545-F85AB94CF90F\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/909543dc279a91122fb08e4653a72b82f0ad28f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a4a282daf1a190f03790bf163458ea3c8d28d217\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.