mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 09:11:28 +00:00
133 lines
12 KiB
JSON
133 lines
12 KiB
JSON
{
|
|
"id": "CVE-2024-53079",
|
|
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"published": "2024-11-19T18:15:27.340",
|
|
"lastModified": "2024-11-27T16:59:20.303",
|
|
"vulnStatus": "Analyzed",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/thp: fix deferred split unqueue naming and locking\n\nRecent changes are putting more pressure on THP deferred split queues:\nunder load revealing long-standing races, causing list_del corruptions,\n\"Bad page state\"s and worse (I keep BUGs in both of those, so usually\ndon't get to see how badly they end up without). The relevant recent\nchanges being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin,\nimproved swap allocation, and underused THP splitting.\n\nBefore fixing locking: rename misleading folio_undo_large_rmappable(),\nwhich does not undo large_rmappable, to folio_unqueue_deferred_split(),\nwhich is what it does. But that and its out-of-line __callee are mm\ninternals of very limited usability: add comment and WARN_ON_ONCEs to\ncheck usage; and return a bool to say if a deferred split was unqueued,\nwhich can then be used in WARN_ON_ONCEs around safety checks (sparing\ncallers the arcane conditionals in __folio_unqueue_deferred_split()).\n\nJust omit the folio_unqueue_deferred_split() from free_unref_folios(), all\nof whose callers now call it beforehand (and if any forget then bad_page()\nwill tell) - except for its caller put_pages_list(), which itself no\nlonger has any callers (and will be deleted separately).\n\nSwapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0\nwithout checking and unqueueing a THP folio from deferred split list;\nwhich is unfortunate, since the split_queue_lock depends on the memcg\n(when memcg is enabled); so swapout has been unqueueing such THPs later,\nwhen freeing the folio, using the pgdat's lock instead: potentially\ncorrupting the memcg's list. __remove_mapping() has frozen refcount to 0\nhere, so no problem with calling folio_unqueue_deferred_split() before\nresetting memcg_data.\n\nThat goes back to 5.4 commit 87eaceb3faa5 (\"mm: thp: make deferred split\nshrinker memcg aware\"): which included a check on swapcache before adding\nto deferred queue, but no check on deferred queue before adding THP to\nswapcache. That worked fine with the usual sequence of events in reclaim\n(though there were a couple of rare ways in which a THP on deferred queue\ncould have been swapped out), but 6.12 commit dafff3f4c850 (\"mm: split\nunderused THPs\") avoids splitting underused THPs in reclaim, which makes\nswapcache THPs on deferred queue commonplace.\n\nKeep the check on swapcache before adding to deferred queue? Yes: it is\nno longer essential, but preserves the existing behaviour, and is likely\nto be a worthwhile optimization (vmstat showed much more traffic on the\nqueue under swapping load if the check was removed); update its comment.\n\nMemcg-v1 move (deprecated): mem_cgroup_move_account() has been changing\nfolio->memcg_data without checking and unqueueing a THP folio from the\ndeferred list, sometimes corrupting \"from\" memcg's list, like swapout. \nRefcount is non-zero here, so folio_unqueue_deferred_split() can only be\nused in a WARN_ON_ONCE to validate the fix, which must be done earlier:\nmem_cgroup_move_charge_pte_range() first try to split the THP (splitting\nof course unqueues), or skip it if that fails. Not ideal, but moving\ncharge has been requested, and khugepaged should repair the THP later:\nnobody wants new custom unqueueing code just for this deprecated case.\n\nThe 87eaceb3faa5 commit did have the code to move from one deferred list\nto another (but was not conscious of its unsafety while refcount non-0);\nbut that was removed by 5.6 commit fac0516b5534 (\"mm: thp: don't need care\ndeferred split queue in memcg charge move path\"), which argued that the\nexistence of a PMD mapping guarantees that the THP cannot be on a deferred\nlist. As above, false in rare cases, and now commonly false.\n\nBackport to 6.11 should be straightforward. Earlier backports must take\ncare that other _deferred_list fixes and dependencies are included. There\nis not a strong case for backports, but they can fix cornercases."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/thp: arregla el bloqueo y el nombre de la cola de separaci\u00f3n diferida Los cambios recientes est\u00e1n poniendo m\u00e1s presi\u00f3n en las colas de separaci\u00f3n diferida de THP: bajo carga revelando ejecuci\u00f3ns de larga data, causando corrupciones de list_del, \"Bad page state\" y peores (mantengo ERRORES en ambos, por lo que generalmente no llego a ver qu\u00e9 tan mal terminan sin ellos). Los cambios recientes relevantes son mTHP de 6.8, mTHP swapout de 6.10 y mTHP swapin de 6.12, asignaci\u00f3n de intercambio mejorada y divisi\u00f3n de THP infrautilizada. Antes de arreglar el bloqueo: cambia el nombre de folio_undo_large_rmappable() enga\u00f1oso, que no deshace large_rmappable, a folio_unqueue_deferred_split(), que es lo que hace. Pero eso y su __callee fuera de l\u00ednea son internos mm de usabilidad muy limitada: agrega comentario y WARN_ON_ONCEs para verificar el uso; y devuelve un bool para decir si una divisi\u00f3n diferida fue sacada de la cola, que luego se puede usar en WARN_ON_ONCEs alrededor de las verificaciones de seguridad (ahorrando a los llamadores las condicionales arcanas en __folio_unqueue_deferred_split()). Simplemente omite folio_unqueue_deferred_split() de free_unref_folios(), todos cuyos llamadores ahora lo llaman de antemano (y si alguno se olvida, bad_page() lo dir\u00e1) - excepto su llamador put_pages_list(), que en s\u00ed mismo ya no tiene ning\u00fan llamador (y se eliminar\u00e1 por separado). Swapout: mem_cgroup_swapout() ha estado restableciendo folio->memcg_data 0 sin verificar y sacar de la cola un folio THP de la lista de divisiones diferidas; lo cual es desafortunado, ya que split_queue_lock depende de memcg (cuando memcg est\u00e1 habilitado); por lo que swapout ha estado sacando de la cola dichos THP m\u00e1s tarde, al liberar el folio, usando el bloqueo de pgdat en su lugar: potencialmente corrompiendo la lista de memcg. __remove_mapping() ha congelado refcount a 0 aqu\u00ed, por lo que no hay problema con llamar a folio_unqueue_deferred_split() antes de restablecer memcg_data. Eso se remonta a el commit 5.4 87eaceb3faa5 (\"mm: thp: make deferred split reductioner memcg awareness\"): que inclu\u00eda una verificaci\u00f3n en swapcache antes de agregar a la cola diferida, pero ninguna verificaci\u00f3n en la cola diferida antes de agregar THP a swapcache. Eso funcion\u00f3 bien con la secuencia habitual de eventos en la recuperaci\u00f3n (aunque hubo un par de formas raras en las que un THP en la cola diferida podr\u00eda haber sido intercambiado), pero el commit 6.12 dafff3f4c850 (\"mm: dividir THP subutilizados\") evita dividir THP subutilizados en la recuperaci\u00f3n, lo que hace que los THP de swapcache en la cola diferida sean algo com\u00fan. \u00bfMantener la verificaci\u00f3n en swapcache antes de agregar a la cola diferida? S\u00ed: ya no es esencial, pero conserva el comportamiento existente y es probable que sea una optimizaci\u00f3n que valga la pena (vmstat mostr\u00f3 mucho m\u00e1s tr\u00e1fico en la cola bajo carga de intercambio si se elimin\u00f3 la verificaci\u00f3n); actualice su comentario. Movimiento de Memcg-v1 (obsoleto): mem_cgroup_move_account() ha estado cambiando folio->memcg_data sin verificar y sacar de la cola un folio THP de la lista diferida, a veces corrompiendo \"de\" la lista de memcg, como swapout. Refcount no es cero aqu\u00ed, por lo que folio_unqueue_deferred_split() solo se puede usar en un WARN_ON_ONCE para validar la correcci\u00f3n, que debe hacerse antes: mem_cgroup_move_charge_pte_range() primero intenta dividir el THP (la divisi\u00f3n, por supuesto, desencola), o lo omite si eso falla. No es ideal, pero se ha solicitado mover el cargo, y khugepaged deber\u00eda reparar el THP m\u00e1s tarde: nadie quiere un nuevo c\u00f3digo de desencola personalizado solo para este caso obsoleto. el commit 87eaceb3faa5 ten\u00eda el c\u00f3digo para moverse de una lista diferida a otra (pero no era consciente de su inseguridad mientras refcount no sea 0); pero eso fue eliminado por el commit fac0516b5534 de la versi\u00f3n 5.6 ---- truncado -----"
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
|
|
"baseScore": 5.5,
|
|
"baseSeverity": "MEDIUM",
|
|
"attackVector": "LOCAL",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "NONE",
|
|
"integrityImpact": "NONE",
|
|
"availabilityImpact": "HIGH"
|
|
},
|
|
"exploitabilityScore": 1.8,
|
|
"impactScore": 3.6
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-667"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "5.4",
|
|
"versionEndExcluding": "6.6.62",
|
|
"matchCriteriaId": "AC648588-B095-401F-A0F4-2837283639E9"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
|
|
"versionStartIncluding": "6.7",
|
|
"versionEndExcluding": "6.11.8",
|
|
"matchCriteriaId": "0BD000F7-3DAD-4DD3-8906-98EA1EC67E95"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*",
|
|
"matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*",
|
|
"matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*",
|
|
"matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*",
|
|
"matchCriteriaId": "E0F717D8-3014-4F84-8086-0124B2111379"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*",
|
|
"matchCriteriaId": "24DBE6C7-2AAE-4818-AED2-E131F153D2FA"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*",
|
|
"matchCriteriaId": "24B88717-53F5-42AA-9B72-14C707639E3F"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/afb1352d06b1b6b2cfd1f901c766a430c87078b3",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/f8f931bba0f92052cf842b7e30917b1afcc77d5a",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://git.kernel.org/stable/c/fc4951c3e3358dd82ea508e893695b916c813f17",
|
|
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
|
|
"tags": [
|
|
"Patch"
|
|
]
|
|
}
|
|
]
|
|
} |