CVE-2024-46787

一、漏洞信息
 漏洞编号：[CVE-2024-46787](https://nvd.nist.gov/vuln/detail/CVE-2024-46787)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V3.0分值：
  BaseScore：4.7 Medium
  Vector：CVSS：3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:userfaultfd: fix checks for huge PMDsPatch series  userfaultfd: fix races around pmd_trans_huge() check , v2.The pmd_trans_huge() code in mfill_atomic() is wrong in three differentways depending on kernel version:1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit   the right two race windows) - I ve tested this in a kernel build with   some extra mdelay() calls. See the commit message for a description   of the race scenario.   On older kernels (before 6.5), I think the same bug can even   theoretically lead to accessing transhuge page contents as a page table   if you hit the right 5 narrow race windows (I haven t tested this case).2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for   detecting PMDs that don t point to page tables.   On older kernels (before 6.5), you d just have to win a single fairly   wide race to hit this.   I ve tested this on 6.1 stable by racing migration (with a mdelay()   patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86   VM, that causes a kernel oops in ptlock_ptr().3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed   to yank page tables out from under us (though I haven t tested that),   so I think the BUG_ON() checks in mfill_atomic() are just wrong.I decided to write two separate fixes for these (one fix for bugs 1+2, onefix for bug 3), so that the first fix can be backported to kernelsaffected by bugs 1+2.This patch (of 2):This fixes two issues.I discovered that the following race can occur:  mfill_atomic                other thread  ============                ============                              <zap PMD>  pmdp_get_lockless() [reads none pmd]  <bail if trans_huge>  <if none:>                              <pagefault creates transhuge zeropage>    __pte_alloc [no-op]                              <zap PMD>  <bail if pmd_trans_huge(*dst_pmd)>  BUG_ON(pmd_none(*dst_pmd))I have experimentally verified this in a kernel with extra mdelay() calls;the BUG_ON(pmd_none(*dst_pmd)) triggers.On kernels newer than commit 0d940a9b270b ( mm/pgtable: allowpte_offset_map[_lock]() to fail ), this can t lead to anything worse thana BUG_ON(), since the page table access helpers are actually designed todeal with page tables concurrently disappearing; but on older kernels(<=6.4), I think we could probably theoretically race past the twoBUG_ON() checks and end up treating a hugepage as a page table.The second issue is that, as Qi Zheng pointed out, there are other typesof huge PMDs that pmd_trans_huge() can t catch: devmap PMDs and swap PMDs(in particular, migration PMDs).On <=6.4, this is worse than the first issue: If mfill_atomic() runs on aPMD that contains a migration entry (which just requires winning a single,fairly wide race), it will pass the PMD to pte_offset_map_lock(), whichassumes that the PMD points to a page table.Breakage follows: First, the kernel tries to take the PTE lock (which willcrash or maybe worse if there is no  struct page  for the address bits inthe migration entry PMD - I think at least on X86 there usually is nocorresponding  struct page  thanks to the PTE inversion mitigation, amd64looks different).If that didn t crash, the kernel would next try to write a PTE into whatit wrongly thinks is a page table.As part of fixing these issues, get rid of the check for pmd_trans_huge()before __pte_alloc() - that s redundant, we re going to have to check forthat after the __pte_alloc() anyway.Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.
 漏洞公开时间：2024-09-18 16:15:05
 漏洞创建时间：2024-09-18 17:00:24
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-46787
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/3c6b4bcf37845c9359aed926324bed66bdd2448d |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/71c186efc1b2cf1aeabfeff3b9bd5ac4c5ac14d8 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/98cc18b1b71e23fe81a5194ed432b20c2d81a01a |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-46787 | https://bugzilla.suse.com/show_bug.cgi?id=1230815 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-46787.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1230815 |
| suse_bugzilla | https://git.kernel.org/stable/c/3c6b4bcf37845c9359aed926324bed66bdd2448d | https://bugzilla.suse.com/show_bug.cgi?id=1230815 |
| suse_bugzilla | https://git.kernel.org/stable/c/98cc18b1b71e23fe81a5194ed432b20c2d81a01a | https://bugzilla.suse.com/show_bug.cgi?id=1230815 |
| suse_bugzilla | https://git.kernel.org/stable/c/71c186efc1b2cf1aeabfeff3b9bd5ac4c5ac14d8 | https://bugzilla.suse.com/show_bug.cgi?id=1230815 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-46787 | https://bugzilla.suse.com/show_bug.cgi?id=1230815 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2313135 | https://bugzilla.suse.com/show_bug.cgi?id=1230815 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-46787 |
| mageia |  | http://advisories.mageia.org/MGASA-2024-0316.html |
| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2024-46787 | https://explore.alas.aws.amazon.com/CVE-2024-46787.html |
| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46787 | https://explore.alas.aws.amazon.com/CVE-2024-46787.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://git.kernel.org/stable/c/3c6b4bcf37845c9359aed926324bed66bdd2448d |  | nvd |
|  |  | https://git.kernel.org/stable/c/71c186efc1b2cf1aeabfeff3b9bd5ac4c5ac14d8 |  | nvd |
|  |  | https://git.kernel.org/stable/c/98cc18b1b71e23fe81a5194ed432b20c2d81a01a |  | nvd |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  Reserved.
 openEuler评分：
  4.7
 Vector：CVSS：3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP3(5.10.0):受影响
3.openEuler-22.03-LTS-SP4(5.10.0):受影响
4.openEuler-24.03-LTS(6.6.0):受影响
5.master(6.6.0):不受影响
6.openEuler-24.03-LTS-Next(6.6.0):不受影响
7.openEuler-24.03-LTS-SP1(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.6.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否
8.openEuler-24.03-LTS-SP1(6.6.0):否

原因说明：
  1.openEuler-22.03-LTS-SP3(5.10.0):正常修复
2.openEuler-22.03-LTS-SP4(5.10.0):正常修复
3.openEuler-24.03-LTS(6.6.0):正常修复
4.openEuler-20.03-LTS-SP4(4.19.90):不修复-超出修复范围
5.master(6.6.0):不受影响-漏洞代码不能被攻击者触发
6.openEuler-24.03-LTS-Next(6.6.0):不受影响-漏洞代码不能被攻击者触发
7.openEuler-24.03-LTS-SP1(6.6.0):不受影响-漏洞代码不存在

src-openEuler/kernel

内容风险标识

评论 (33)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-46787

评论 (33)

搜索帮助

src-openEuler/kernel