CVE-2024-49964

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix memfd_pin_folios free_huge_pages leak

memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages if the pages were not already faulted in, because the folio refcount for pages created by memfd_alloc_folio never goes to 0. memfd_pin_folios needs another folio_put to undo the folio_try_get below:

memfd_alloc_folio() alloc_hugetlb_folio_nodemask() dequeue_hugetlb_folio_nodemask() dequeue_hugetlb_folio_node_exact() folio_ref_unfreeze(folio, 1); ; adds 1 refcount folio_try_get() ; adds 1 refcount hugetlb_add_to_page_cache() ; adds 512 refcount (on x86)

With the fix, after memfd_pin_folios + unpin_folios, the refcount for the (unfaulted) page is 512, which is correct, as the refcount for a faulted unpinned page is 513.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux89c1905d9c140372b7f50ef48f42378cf85d9bc5 < 59e081ff2e91bbf19b8c1ecb75b031f778858383affected
LinuxLinux89c1905d9c140372b7f50ef48f42378cf85d9bc5 < c56b6f3d801d7ec8965993342bdd9e2972b6cb8eaffected
LinuxLinux6.11affected
LinuxLinux0 < 6.11unaffected
LinuxLinux6.11.3 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References