CVE-2023-52490

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52490
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52490.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52490
Related
Published
2024-03-11T18:15:16Z
Modified
2024-09-11T05:02:05.445986Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: migrate: fix getting incorrect page mapping during page migration

When running stress-ng testing, we found below kernel crash after a few hours:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentryname+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentryname+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintkstore+0x70/0x234 vprintkemit+0xe0/0x24c vprintkdefault+0x3c/0x44 vprintkfunc+0x84/0x2d0 printk+0x64/0x88 _dumppage+0x52c/0x530 dumppage+0x14/0x20 setmigratetypeisolate+0x110/0x224 startisolatepagerange+0xc4/0x20c offlinepages+0x124/0x474 memoryblockoffline+0x44/0xf4 memorysubsysoffline+0x3c/0x70 deviceoffline+0xf0/0x120 ......

After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1.

Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, pagemapping() of the target page may return an incorrect file mapping to crash the system in dumpmapping(), since the target page->mapping only saves 'anonvma' pointer without setting PAGEMAPPING_ANON flag.

There are seveval ways to fix this issue: (1) Setting the PAGEMAPPINGANON flag for target page's ->mapping when saving 'anonvma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call pagemapping() in _dumppage() to avoid crashing the system, however, there are still some PFN walkers that call pagemapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anonvma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way.

So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.15-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}