CVE-2024-27022

CPU 1 CPU 2 fork hugetlbfsfallocate dupmmap hugetlbfspunchhole immaplockwrite(mapping); vmaintervaltreeinsertafter -- Child vma is visible through immap tree. immapunlockwrite(mapping); hugetlbdupvmaprivate -- Clear vmalock outside immaprwsem! immaplockwrite(mapping); hugetlbvmdeletelist vmaintervaltreeforeach hugetlbvmatrylockwrite -- Vmalock is cleared. tmp->vmops->open -- Alloc new vmalock outside immaprwsem! hugetlbvmaunlockwrite -- Vmalock is assigned!!! immapunlockwrite(mapping);

hugetlbdupvmaprivate() and hugetlbvmopopen() are called outside immaprwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8d9bfb2608145cf3e408428c224099e1585471af

Fixed

abdb88dd272bbeb93efe01d8e0b7b17e24af3a34

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8d9bfb2608145cf3e408428c224099e1585471af

Fixed

35e351780fa9d8240dd6f7e4f245f9ea37e96c19

Affected versions

v6.*

v6.0

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2024-27022-4a180592",
        "target": {
            "file": "kernel/fork.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abdb88dd272bbeb93efe01d8e0b7b17e24af3a34",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "4399987533757603770671843324208812196",
                "321689459279115594425085382555534876519",
                "254577188029899203364295065082991605318",
                "14826449155807757031966669423832149279",
                "289128195497148162080431874845565431222",
                "332898848559431906416902623283369077602",
                "247511779865420991314233689511371285381",
                "104583346785158407057609979364916845471",
                "155063948034644845115821660252913177247",
                "313340266186718893671042436684020974928",
                "76158572329845274791580400443641431309",
                "145840019012278906845303443044198959676",
                "249414444906711250051323917351242638754",
                "336175453381225048991963951080469629246",
                "80062990219649173737896100883731841511"
            ]
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-27022-72fd6109",
        "target": {
            "function": "dup_mmap",
            "file": "kernel/fork.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abdb88dd272bbeb93efe01d8e0b7b17e24af3a34",
        "digest": {
            "function_hash": "121788053258155099944162709800893328600",
            "length": 2738.0
        }
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-27022-a0908224",
        "target": {
            "function": "dup_mmap",
            "file": "kernel/fork.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35e351780fa9d8240dd6f7e4f245f9ea37e96c19",
        "digest": {
            "function_hash": "121788053258155099944162709800893328600",
            "length": 2738.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-27022-a3f0073d",
        "target": {
            "file": "kernel/fork.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35e351780fa9d8240dd6f7e4f245f9ea37e96c19",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "4399987533757603770671843324208812196",
                "321689459279115594425085382555534876519",
                "254577188029899203364295065082991605318",
                "14826449155807757031966669423832149279",
                "289128195497148162080431874845565431222",
                "332898848559431906416902623283369077602",
                "247511779865420991314233689511371285381",
                "104583346785158407057609979364916845471",
                "155063948034644845115821660252913177247",
                "313340266186718893671042436684020974928",
                "76158572329845274791580400443641431309",
                "145840019012278906845303443044198959676",
                "249414444906711250051323917351242638754",
                "336175453381225048991963951080469629246",
                "80062990219649173737896100883731841511"
            ]
        }
    }
]

CVE-2024-27022

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges