cvelist/2024/42xxx/CVE-2024-42317.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-42317",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: avoid PMD-size page cache if needed\n\nxarray can't support arbitrary page cache size.  the largest and supported\npage cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71\n(\"mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\").  However,\nit's possible to have 512MB page cache in the huge memory's collapsing\npath on ARM64 system whose base page size is 64KB.  512MB page cache is\nbreaking the limitation and a warning is raised when the xarray entry is\nsplit as shown in the following example.\n\n[root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize\nKernelPageSize:       64 kB\n[root@dhcp-10-26-1-207 ~]# cat /tmp/test.c\n   :\nint main(int argc, char **argv)\n{\n\tconst char *filename = TEST_XFS_FILENAME;\n\tint fd = 0;\n\tvoid *buf = (void *)-1, *p;\n\tint pgsize = getpagesize();\n\tint ret = 0;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stdout, \"System with 64KB base page size is required!\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/* Open the xfs file */\n\tfd = open(filename, O_RDONLY);\n\tassert(fd > 0);\n\n\t/* Create VMA */\n\tbuf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0);\n\tassert(buf != (void *)-1);\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\n\t/* Populate VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ);\n\tassert(ret == 0);\n\n\t/* Collapse VMA */\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE);\n\tif (ret) {\n\t\tfprintf(stdout, \"Error %d to madvise(MADV_COLLAPSE)\\n\", errno);\n\t\tgoto out;\n\t}\n\n\t/* Split xarray entry. Write permission is needed */\n\tmunmap(buf, TEST_MEM_SIZE);\n\tbuf = (void *)-1;\n\tclose(fd);\n\tfd = open(filename, O_RDWR);\n\tassert(fd > 0);\n\tfallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,\n \t\t  TEST_MEM_SIZE - pgsize, pgsize);\nout:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn ret;\n}\n\n[root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test\n[root@dhcp-10-26-1-207 ~]# /tmp/test\n ------------[ cut here ]------------\n WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\n Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib    \\\n nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct      \\\n nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4      \\\n ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse   \\\n xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net  \\\n sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio\n CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9\n Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\n pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n pc : xas_split_alloc+0xf8/0x128\n lr : split_huge_page_to_list_to_order+0x1c4/0x780\n sp : ffff8000ac32f660\n x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0\n x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d\n x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c\n x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8\n x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40\n x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\n Call trace:\n  xas_split_alloc+0xf8/0x128\n  split_huge_page_to_list_to_order+0x1c4/0x780\n  truncate_inode_partial_folio+0
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "6b24ca4a1a8d",
                                            "version_value": "e60f62f75c99"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "5.17",
                                                        "status": "affected"
                                                    },
                                                    {
                                                        "version": "0",
                                                        "lessThan": "5.17",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.10.3",
                                                        "lessThanOrEqual": "6.10.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.11",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/e60f62f75c99740a28e2bf7e6044086033012a16",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/e60f62f75c99740a28e2bf7e6044086033012a16"
            },
            {
                "url": "https://git.kernel.org/stable/c/d659b715e94ac039803d7601505d3473393fc0be",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/d659b715e94ac039803d7601505d3473393fc0be"
            }
        ]
    },
    "generator": {
        "engine": "bippy-9e1c9544281a"
    }
}
"-Synchronized-Data." 2024-07-30 08:01:06 +00:00			`{`
"-Synchronized-Data." 2024-08-17 10:00:35 +00:00			`"data_version": "4.0",`
"-Synchronized-Data." 2024-07-30 08:01:06 +00:00			`"data_type": "CVE",`
			`"data_format": "MITRE",`
			`"CVE_data_meta": {`
			`"ID": "CVE-2024-42317",`
"-Synchronized-Data." 2024-08-17 10:00:35 +00:00			`"ASSIGNER": "cve@kernel.org",`
			`"STATE": "PUBLIC"`
"-Synchronized-Data." 2024-07-30 08:01:06 +00:00			`},`
			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2024-08-17 10:00:35 +00:00			"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: avoid PMD-size page cache if needed\n\nxarray can't support arbitrary page cache size. the largest and supported\npage cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71\n(\"mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray\"). However,\nit's possible to have 512MB page cache in the huge memory's collapsing\npath on ARM64 system whose base page size is 64KB. 512MB page cache is\nbreaking the limitation and a warning is raised when the xarray entry is\nsplit as shown in the following example.\n\n[root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps \| grep KernelPageSize\nKernelPageSize: 64 kB\n[root@dhcp-10-26-1-207 ~]# cat /tmp/test.c\n :\nint main(int argc, char *argv)\n{\n\tconst char filename = TEST_XFS_FILENAME;\n\tint fd = 0;\n\tvoid buf = (void )-1, p;\n\tint pgsize = getpagesize();\n\tint ret = 0;\n\n\tif (pgsize != 0x10000) {\n\t\tfprintf(stdout, \"System with 64KB base page size is required!\\n\");\n\t\treturn -EPERM;\n\t}\n\n\tsystem(\"echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb\");\n\tsystem(\"echo 1 > /proc/sys/vm/drop_caches\");\n\n\t/ Open the xfs file /\n\tfd = open(filename, O_RDONLY);\n\tassert(fd > 0);\n\n\t/ Create VMA /\n\tbuf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0);\n\tassert(buf != (void )-1);\n\tfprintf(stdout, \"mapped buffer at 0x%p\\n\", buf);\n\n\t/* Populate VMA /\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ);\n\tassert(ret == 0);\n\n\t/ Collapse VMA /\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE);\n\tassert(ret == 0);\n\tret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE);\n\tif (ret) {\n\t\tfprintf(stdout, \"Error %d to madvise(MADV_COLLAPSE)\\n\", errno);\n\t\tgoto out;\n\t}\n\n\t/ Split xarray entry. Write permission is needed /\n\tmunmap(buf, TEST_MEM_SIZE);\n\tbuf = (void )-1;\n\tclose(fd);\n\tfd = open(filename, O_RDWR);\n\tassert(fd > 0);\n\tfallocate(fd, FALLOC_FL_KEEP_SIZE \| FALLOC_FL_PUNCH_HOLE,\n \t\t TEST_MEM_SIZE - pgsize, pgsize);\nout:\n\tif (buf != (void *)-1)\n\t\tmunmap(buf, TEST_MEM_SIZE);\n\tif (fd > 0)\n\t\tclose(fd);\n\n\treturn ret;\n}\n\n[root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test\n[root@dhcp-10-26-1-207 ~]# /tmp/test\n ------------[ cut here ]------------\n WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128\n Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \\\n nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \\\n nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \\\n ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \\\n xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \\\n sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio\n CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9\n Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024\n pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\n pc : xas_split_alloc+0xf8/0x128\n lr : split_huge_page_to_list_to_order+0x1c4/0x780\n sp : ffff8000ac32f660\n x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0\n x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d\n x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000\n x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000\n x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000\n x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c\n x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8\n x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40\n x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000\n Call trace:\n xas_split_alloc+0xf8/0x128\n split_huge_page_to_list_to_order+0x1c4/0x780\n truncate_inode_partial_folio+0
"-Synchronized-Data." 2024-07-30 08:01:06 +00:00			`}`
			`]`
"-Synchronized-Data." 2024-08-17 10:00:35 +00:00			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "n/a"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"vendor_name": "Linux",`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Linux",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "<",`
			`"version_name": "6b24ca4a1a8d",`
			`"version_value": "e60f62f75c99"`
			`},`
			`{`
			`"version_value": "not down converted",`
			`"x_cve_json_5_version_data": {`
			`"versions": [`
			`{`
			`"version": "5.17",`
			`"status": "affected"`
			`},`
			`{`
			`"version": "0",`
			`"lessThan": "5.17",`
			`"status": "unaffected",`
"-Synchronized-Data." 2024-11-05 10:01:30 +00:00			`"versionType": "semver"`
"-Synchronized-Data." 2024-08-17 10:00:35 +00:00			`},`
			`{`
			`"version": "6.10.3",`
			`"lessThanOrEqual": "6.10.*",`
			`"status": "unaffected",`
"-Synchronized-Data." 2024-11-05 10:01:30 +00:00			`"versionType": "semver"`
"-Synchronized-Data." 2024-08-17 10:00:35 +00:00			`},`
			`{`
"-Synchronized-Data." 2024-09-15 18:00:35 +00:00			`"version": "6.11",`
"-Synchronized-Data." 2024-08-17 10:00:35 +00:00			`"lessThanOrEqual": "*",`
			`"status": "unaffected",`
			`"versionType": "original_commit_for_fix"`
			`}`
			`],`
			`"defaultStatus": "affected"`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"url": "https://git.kernel.org/stable/c/e60f62f75c99740a28e2bf7e6044086033012a16",`
			`"refsource": "MISC",`
			`"name": "https://git.kernel.org/stable/c/e60f62f75c99740a28e2bf7e6044086033012a16"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/d659b715e94ac039803d7601505d3473393fc0be",`
			`"refsource": "MISC",`
			`"name": "https://git.kernel.org/stable/c/d659b715e94ac039803d7601505d3473393fc0be"`
			`}`
			`]`
			`},`
			`"generator": {`
"-Synchronized-Data." 2024-11-05 10:01:30 +00:00			`"engine": "bippy-9e1c9544281a"`
"-Synchronized-Data." 2024-07-30 08:01:06 +00:00			`}`
			`}`