CVE-2024-35993

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm: turn folio_test_hugetlb into a PageType

The current folio_test_hugetlb() can be fooled by a concurrent folio split into returning true for a folio which has never belonged to hugetlbfs. This can't happen if the caller holds a refcount on it, but we have a few places (memory-failure, compaction, procfs) which do not and should not take a speculative reference.

Since hugetlb pages do not use individual page mapcounts (they are always fully mapped and use the entire_mapcount field to record the number of mappings), the PageType field is available now that page_mapcount() ignores the value in this field.

In compaction and with CONFIG_DEBUG_VM enabled, the current implementation can result in an oops, as reported by Luis. This happens since 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR") effectively added some VM_BUG_ON() checks in the PageHuge() testing path.

[willy@infradead.org: update vmcoreinfo]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9c5ccf2db04b8d7c3df363fdd4856c2b79ab2c6a < 2431b5f2650dfc47ce782d1ca7b02d6b3916976faffected
LinuxLinux9c5ccf2db04b8d7c3df363fdd4856c2b79ab2c6a < 9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32affected
LinuxLinux9c5ccf2db04b8d7c3df363fdd4856c2b79ab2c6a < d99e3140a4d33e26066183ff727d8f02f56bec64affected
LinuxLinux6.6affected
LinuxLinux0 < 6.6unaffected
LinuxLinux6.6.30 <= 6.6.*unaffected
LinuxLinux6.8.9 <= 6.8.*unaffected
LinuxLinux6.9 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References