一、漏洞信息
漏洞编号：CVE-2024-57937
漏洞归属组件：kernel
漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.19,6.4.0,6.6.0
CVSS V3.0分值：
BaseScore：5.5 Medium
Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
漏洞简述：
In the Linux kernel, the following vulnerability has been resolved:mm: reinstate ability to map write-sealed memfd mappings read-onlyPatch series mm: reinstate ability to map write-sealed memfd mappingsread-only .In commit 158978945f31 ( mm: perform the mapping_map_writable() checkafter call_mmap() ) (and preceding changes in the same series) it becamepossible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.Commit 5de195060b2e ( mm: resolve faulty mmap_region() error pathbehaviour ) unintentionally undid this logic by moving themapping_map_writable() check before the shmem_mmap() hook is invoked,thereby regressing this change.This series reworks how we both permit write-sealed mappings being mappedread-only and disallow mprotect() from undoing the write-seal, fixing thisregression.We also add a regression test to ensure that we do not accidentallyregress this in future.Thanks to Julian Orth for reporting this regression.This patch (of 2):In commit 158978945f31 ( mm: perform the mapping_map_writable() checkafter call_mmap() ) (and preceding changes in the same series) it becamepossible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.This was previously unnecessarily disallowed, despite the man pagedocumentation indicating that it would be, thereby limiting the usefulnessof F_SEAL_WRITE logic.We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITEseal (one which disallows future writes to the memfd) to also be used forF_SEAL_WRITE.For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for aread-only mapping to disallow mprotect() from overriding the seal - anoperation performed by seal_check_write(), invoked from shmem_mmap(), thef_op->mmap() hook used by shmem mappings.By extending this to F_SEAL_WRITE and critically - checkingmapping_map_writable() to determine if we may map the memfd AFTER weinvoke shmem_mmap() - the desired logic becomes possible. This is becausemapping_map_writable() explicitly checks for VM_MAYWRITE, which we willhave cleared.Commit 5de195060b2e ( mm: resolve faulty mmap_region() error pathbehaviour ) unintentionally undid this logic by moving themapping_map_writable() check before the shmem_mmap() hook is invoked,thereby regressing this change.We reinstate this functionality by moving the check out of shmem_mmap()and instead performing it in do_mmap() at the point at which VMA flags arebeing determined, which seems in any case to be a more appropriate placein which to make this determination.In order to achieve this we rework memfd seal logic to allow us access tothis information using existing logic and eliminate the clearing ofVM_MAYWRITE from seal_check_write() which we are performing in do_mmap()instead.
漏洞公开时间：2025-01-21 20:15:27
漏洞创建时间：2025-01-24 03:09:10
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-57937

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

二、漏洞分析结构反馈
影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：
1.master:
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP3(5.10.0):
4.openEuler-22.03-LTS-SP4(5.10.0):
5.openEuler-24.03-LTS(6.6.0):
6.openEuler-24.03-LTS-Next(6.6.0):
7.openEuler-24.03-LTS-SP1(6.6.0):

修复是否涉及abi变化(是/否)：
1.master:
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP3(5.10.0):
4.openEuler-22.03-LTS-SP4(5.10.0):
5.openEuler-24.03-LTS(6.6.0):
6.openEuler-24.03-LTS-Next(6.6.0):
7.openEuler-24.03-LTS-SP1(6.6.0):

原因说明：
1.master:
2.openEuler-20.03-LTS-SP4(4.19.90):
3.openEuler-22.03-LTS-SP3(5.10.0):
4.openEuler-22.03-LTS-SP4(5.10.0):
5.openEuler-24.03-LTS(6.6.0):
6.openEuler-24.03-LTS-Next(6.6.0):
7.openEuler-24.03-LTS-SP1(6.6.0):