cve-2024-35993
Vulnerability from cvelistv5
Published
2024-05-20 09:47
Modified
2024-11-05 09:26
Severity ?
Summary
mm: turn folio_test_hugetlb into a PageType
Impacted products
Vendor Product Version
Linux Linux Version: 6.6
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35993",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-20T14:06:03.625705Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:33:44.623Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:30:12.237Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2431b5f2650dfc47ce782d1ca7b02d6b3916976f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d99e3140a4d33e26066183ff727d8f02f56bec64"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/page-flags.h",
            "include/trace/events/mmflags.h",
            "kernel/vmcore_info.c",
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2431b5f2650d",
              "status": "affected",
              "version": "9c5ccf2db04b",
              "versionType": "git"
            },
            {
              "lessThan": "9fdcc5b6359d",
              "status": "affected",
              "version": "9c5ccf2db04b",
              "versionType": "git"
            },
            {
              "lessThan": "d99e3140a4d3",
              "status": "affected",
              "version": "9c5ccf2db04b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/page-flags.h",
            "include/trace/events/mmflags.h",
            "kernel/vmcore_info.c",
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: turn folio_test_hugetlb into a PageType\n\nThe current folio_test_hugetlb() can be fooled by a concurrent folio split\ninto returning true for a folio which has never belonged to hugetlbfs. \nThis can\u0027t happen if the caller holds a refcount on it, but we have a few\nplaces (memory-failure, compaction, procfs) which do not and should not\ntake a speculative reference.\n\nSince hugetlb pages do not use individual page mapcounts (they are always\nfully mapped and use the entire_mapcount field to record the number of\nmappings), the PageType field is available now that page_mapcount()\nignores the value in this field.\n\nIn compaction and with CONFIG_DEBUG_VM enabled, the current implementation\ncan result in an oops, as reported by Luis. This happens since 9c5ccf2db04b\n(\"mm: remove HUGETLB_PAGE_DTOR\") effectively added some VM_BUG_ON() checks\nin the PageHuge() testing path.\n\n[willy@infradead.org: update vmcoreinfo]\n  Link: https://lkml.kernel.org/r/ZgGZUvsdhaT1Va-T@casper.infradead.org"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:26:24.206Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2431b5f2650dfc47ce782d1ca7b02d6b3916976f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32"
        },
        {
          "url": "https://git.kernel.org/stable/c/d99e3140a4d33e26066183ff727d8f02f56bec64"
        }
      ],
      "title": "mm: turn folio_test_hugetlb into a PageType",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35993",
    "datePublished": "2024-05-20T09:47:57.739Z",
    "dateReserved": "2024-05-17T13:50:33.147Z",
    "dateUpdated": "2024-11-05T09:26:24.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35993\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-20T10:15:13.463\",\"lastModified\":\"2024-11-21T09:21:23.090\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: turn folio_test_hugetlb into a PageType\\n\\nThe current folio_test_hugetlb() can be fooled by a concurrent folio split\\ninto returning true for a folio which has never belonged to hugetlbfs. \\nThis can\u0027t happen if the caller holds a refcount on it, but we have a few\\nplaces (memory-failure, compaction, procfs) which do not and should not\\ntake a speculative reference.\\n\\nSince hugetlb pages do not use individual page mapcounts (they are always\\nfully mapped and use the entire_mapcount field to record the number of\\nmappings), the PageType field is available now that page_mapcount()\\nignores the value in this field.\\n\\nIn compaction and with CONFIG_DEBUG_VM enabled, the current implementation\\ncan result in an oops, as reported by Luis. This happens since 9c5ccf2db04b\\n(\\\"mm: remove HUGETLB_PAGE_DTOR\\\") effectively added some VM_BUG_ON() checks\\nin the PageHuge() testing path.\\n\\n[willy@infradead.org: update vmcoreinfo]\\n  Link: https://lkml.kernel.org/r/ZgGZUvsdhaT1Va-T@casper.infradead.org\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: convierte folio_test_hugetlb en un PageType. El folio_test_hugetlb() actual puede ser enga\u00f1ado por una divisi\u00f3n de folio concurrente y devuelve verdadero para un folio que nunca ha pertenecido a hugetlbfs. Esto no puede suceder si la persona que llama tiene un recuento sobre \u00e9l, pero tenemos algunos lugares (fallo de memoria, compactaci\u00f3n, procfs) que no toman ni deben tomar una referencia especulativa. Dado que las p\u00e1ginas de Hugetlb no usan recuentos de mapas de p\u00e1ginas individuales (siempre est\u00e1n completamente asignadas y usan el campo Whole_mapcount para registrar el n\u00famero de asignaciones), el campo PageType est\u00e1 disponible ahora que page_mapcount() ignora el valor en este campo. En compactaci\u00f3n y con CONFIG_DEBUG_VM habilitado, la implementaci\u00f3n actual puede resultar en un error, seg\u00fan lo informado por Luis. Esto sucede desde que 9c5ccf2db04b (\\\"mm: eliminar HUGETLB_PAGE_DTOR\\\") agreg\u00f3 efectivamente algunas comprobaciones de VM_BUG_ON() en la ruta de prueba de PageHuge(). [willy@infradead.org: actualizar vmcoreinfo] Enlace: https://lkml.kernel.org/r/ZgGZUvsdhaT1Va-T@casper.infradead.org\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2431b5f2650dfc47ce782d1ca7b02d6b3916976f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d99e3140a4d33e26066183ff727d8f02f56bec64\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2431b5f2650dfc47ce782d1ca7b02d6b3916976f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/d99e3140a4d33e26066183ff727d8f02f56bec64\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.