4.3 KiB
CVE-2024-49934
Description
In the Linux kernel, the following vulnerability has been resolved:fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.nameIt's observed that a crash occurs during hot-remove a memory device,in which user is accessing the hugetlb. See calltrace as following:------------[ cut here ]------------WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc smirror dm_region_hash dm_log dm_modCPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014RIP: 0010:do_user_addr_fault+0x2a0/0x790Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: ? __warn+0x8d/0x190 ? do_user_addr_fault+0x2a0/0x790 ? report_bug+0x1c3/0x1d0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? do_user_addr_fault+0x2a0/0x790 ? exc_page_fault+0x31/0x200 exc_page_fault+0x68/0x200<...snip...>BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI ---[ end trace 0000000000000000 ]--- BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dentry_name+0x1f4/0x440<...snip...>? dentry_name+0x2fa/0x440vsnprintf+0x1f3/0x4f0vprintk_store+0x23a/0x540vprintk_emit+0x6d/0x330_printk+0x58/0x80dump_mapping+0x10b/0x1a0? __pfx_free_object_rcu+0x10/0x10__dump_page+0x26b/0x3e0? vprintk_emit+0xe0/0x330? _printk+0x58/0x80? dump_page+0x17/0x50dump_page+0x17/0x50do_migrate_range+0x2f7/0x7f0? do_migrate_range+0x42/0x7f0? offline_pages+0x2f4/0x8c0offline_pages+0x60a/0x8c0memory_subsys_offline+0x9f/0x1c0? lockdep_hardirqs_on+0x77/0x100? _raw_spin_unlock_irqrestore+0x38/0x60device_offline+0xe3/0x110state_store+0x6e/0xc0kernfs_fop_write_iter+0x143/0x200vfs_write+0x39f/0x560ksys_write+0x65/0xf0do_syscall_64+0x62/0x130Previously, some sanity check have been done in dump_mapping() beforethe print facility parsing '%pd' though, it's still possible to run intoan invalid dentry.d_name.name.Since dump_mapping() only needs to dump the filename only, retrieve itby itself in a safer way to prevent an unnecessary crash.Note that either retrieving the filename with '%pd' orstrncpy_from_kernel_nofault(), the filename could be unreliable.
POC
Reference
No PoCs from references.