CVE-2024-49873
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-49873
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-49873.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-49873
- Downstream
- Related
- Published
- 2024-10-21T18:01:14Z
- Modified
- 2025-10-15T00:15:48.847560Z
- Summary
- mm/filemap: fix filemap_get_folios_contig THP panic
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm/filemap: fix filemapgetfolios_contig THP panic
Patch series "memfd-pin huge page fixes".
Fix multiple bugs that occur when using memfdpinfolios with hugetlb pages and THP. The hugetlb bugs only bite when the page is not yet faulted in when memfdpinfolios is called. The THP bug bites when the starting offset passed to memfdpinfolios is not huge page aligned. See the commit messages for details.
This patch (of 5):
memfdpinfolios on memory backed by THP panics if the requested start offset is not huge page aligned:
BUG: kernel NULL pointer dereference, address: 0000000000000036 RIP: 0010:filemapgetfolios_contig+0xdf/0x290 RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202 RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002
The fault occurs here, because xas_load returns a folio with value 2:
filemap_get_folios_contig() for (folio = xas_load(&xas); folio && xas.xa_index <= end; folio = xas_next(&xas)) { ... if (!folio_try_get(folio)) <-- BOOM"2" is an xarray sibling entry. We get it because memfdpinfolios does not round the indices passed to filemapgetfolioscontig to huge page boundaries for THP, so we load from the middle of a huge page range see a sibling. (It does round for hugetlbfs, at the isfile_hugepages test).
To fix, if the folio is a sibling, then return the next index as the starting point for the next call to filemapgetfolios_contig.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced89c1905d9c140372b7f50ef48f42378cf85d9bc5Fixed570dd14bfecf281fa467c80f8ec92b26370ee36a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced89c1905d9c140372b7f50ef48f42378cf85d9bc5Fixedc225c4f6056b46a8a5bf2ed35abf17a2d6887691
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"id": "CVE-2024-49873-11b2d6cc",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c225c4f6056b46a8a5bf2ed35abf17a2d6887691",
"signature_version": "v1",
"target": {
"file": "mm/filemap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"253523317611079275428364003379141523905",
"333853744591788744674359809272714016311",
"227115487853370439884973918149551044060"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-49873-3585091b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@570dd14bfecf281fa467c80f8ec92b26370ee36a",
"signature_version": "v1",
"target": {
"function": "filemap_get_folios_contig",
"file": "mm/filemap.c"
},
"digest": {
"function_hash": "278717856836216631640803173648212958384",
"length": 824.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2024-49873-5265acb4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@570dd14bfecf281fa467c80f8ec92b26370ee36a",
"signature_version": "v1",
"target": {
"file": "mm/filemap.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"253523317611079275428364003379141523905",
"333853744591788744674359809272714016311",
"227115487853370439884973918149551044060"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2024-49873-fa830c17",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c225c4f6056b46a8a5bf2ed35abf17a2d6887691",
"signature_version": "v1",
"target": {
"function": "filemap_get_folios_contig",
"file": "mm/filemap.c"
},
"digest": {
"function_hash": "278717856836216631640803173648212958384",
"length": 824.0
},
"deprecated": false
}
]