CVE-2024-46847

In the Linux kernel, the following vulnerability has been resolved:

mm: vmalloc: ensure vmap_block is initialised before adding to queue

Commit 8c61291fd850 ("mm: fix incorrect vbq reference in purgefragmentedblock") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU.

When a new 'vmapblock' is being instantiated by newvmapblock(), the partially initialised structure is added to the local 'vmapblockqueue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vmunmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index.

This has been observed as UBSAN errors in Android:

| Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purgefragmentedblock+0x204/0x21c | vmunmapaliases+0x170/0x378 | vmunmapaliases+0x1c/0x28 | changememorycommon+0x1dc/0x26c | setmemoryro+0x18/0x24 | moduleenablero+0x98/0x238 | doinit_module+0x1b0/0x310

Move the initialisation of 'vb->cpu' in newvmapblock() ahead of the addition to the xarray.