CVE-2024-47674

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm: avoid leaving partial pfn mappings around in error case

As Jann points out, PFN mappings are special, because unlike normal memory mappings, there is no lifetime information associated with the mapping - it is just a raw mapping of PFNs with no reference counting of a 'struct page'.

That's all very much intentional, but it does mean that it's easy to mess up the cleanup in case of errors. Yes, a failed mmap() will always eventually clean up any partial mappings, but without any explicit lifetime in the page table mapping itself, it's very easy to do the error handling in the wrong order.

In particular, it's easy to mistakenly free the physical backing store before the page tables are actually cleaned up and (temporarily) have stale dangling PTE entries.

To make this situation less error-prone, just make sure that any partial pfn mapping is torn down early, before any other error handling.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb97a50adb37e98b940a30c4656565ff609aa8f94 < 3213fdcab961026203dd587a4533600c70b3336baffected
LinuxLinux69d4e1ce9087c8767f2fe9b9426fa2755c8e9072 < 35770ca6180caa24a2b258c99a87bd437a1ee10faffected
LinuxLinux74ffa5a3e68504dd289135b1cf0422c19ffb3f2e < 5b2c8b34f6d76bfbd1dd4936eb8a0fbfb9af3959affected
LinuxLinux74ffa5a3e68504dd289135b1cf0422c19ffb3f2e < 65d0db500d7c07f0f76fc24a4d837791c4862cd2affected
LinuxLinux74ffa5a3e68504dd289135b1cf0422c19ffb3f2e < a95a24fcaee1b892e47d5e6dcc403f713874ee80affected
LinuxLinux74ffa5a3e68504dd289135b1cf0422c19ffb3f2e < 954fd4c81f22c4b6ba65379a81fd252971bf4ef3affected
LinuxLinux74ffa5a3e68504dd289135b1cf0422c19ffb3f2e < 79a61cc3fc0466ad2b7b89618a6157785f0293b3affected
LinuxLinux5.13affected
LinuxLinux0 < 5.13unaffected
LinuxLinux5.15.168 <= 5.15.*unaffected
LinuxLinux6.1.111 <= 6.1.*unaffected
LinuxLinux6.6.52 <= 6.6.*unaffected
LinuxLinux6.10.11 <= 6.10.*unaffected
LinuxLinux6.11 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References