CVE-2024-57945
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-57945
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57945.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-57945
- Downstream
- Related
- Published
- 2025-01-21T12:18:12.548Z
- Modified
- 2025-11-27T02:33:42.796835Z
- Summary
- riscv: mm: Fix the out of bound issue of vmemmap address
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
riscv: mm: Fix the out of bound issue of vmemmap address
In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAPSTART - (physrambase >> PAGESHIFT)). And the struct page's va can be calculated with an offset: (vmemmap + (pfn)).
However, when initializing struct pages, kernel actually starts from the first page from the same section that physrambase belongs to. If the first page's physical address is not (physrambase >> PAGESHIFT), then we get an va below VMEMMAPSTART when calculating va for it's struct page.
For example, if physrambase starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During initunavailablerange(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAPSTART - 0x2000), which is below VMEMMAPSTART as well as PCIIOEND.
This commit fixes this bug by introducing a new variable 'vmemmapstartpfn' which is aligned with memory section size and using it to calculate vmemmap address instead of physrambase.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/blob/cc431b3424123d84bcd7afd4de150b33f117a8ef/cves/2024/57xxx/CVE-2024-57945.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f
- https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14
- https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66
- https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b
- https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8310080799b40fd9f2a8b808c657269678c149afFixed92f08673d3f1893191323572f60e3c62f2e57c2f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda278d5c60f21aa15d540abb2f2da6e6d795c3e6eFixeda4a7ac3d266008018f05fae53060fcb331151a14
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda11dd49dcb9376776193e15641f84fcc1e5980c9Fixedd2bd51954ac8377c2f1eb1813e694788998add66
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda11dd49dcb9376776193e15641f84fcc1e5980c9Fixedf754f27e98f88428aaf6be6e00f5cbce97f62d4b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected8af1c121b0102041809bc137ec600d1865eaeedd
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected5941a90c55d3bfba732b32208d58d997600b44ef
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected2a1728c15ec4f45ed9248ae22f626541c179bfbe