CVE-2024-26947: ARM Flushing Page Tables Vulnerability in Linux Kernel

A new vulnerability has recently been discovered in the Linux kernel. This vulnerability, identified as CVE-2024-26947, arises due to incorrect handling of certain memory layouts in the ARM (Advanced RISC Machine) architecture. The ARM architecture is widely used in many devices, such as smartphones, tablets, embedded systems, and IoT devices. Therefore, it is critical to be aware of this vulnerability and understand the steps taken to resolve the issue.

The vulnerability exists in a component of the Linux kernel that handles ARM's page table management. A specific commit (a4d5613c4dc6) introduced a change to the pfn_valid() function which caused the system to crash during certain uio tests. This crash was due to an inability to handle a specific memory layout, as outlined in the original report [1].

Here is a snippet of the code in question

ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account
freed memory map alignment") changes the semantics of pfn_valid() to check
presence of the memory map for a PFN.

To understand the root cause, let's examine the crash backtrace

 Unable to handle kernel paging request at virtual address bff00000
  [...]
  CPU: 1 PID: 465 Comm: startapp.bin Tainted: G           O      5.10. #1
  Hardware name: Generic DT based system
  PC is at b15_flush_kern_dcache_area+x24/x3c
  LR is at __sync_icache_dcache+x6c/x98
  [...]
   (b15_flush_kern_dcache_area) from (__sync_icache_dcache+x6c/x98)
   (__sync_icache_dcache) from (set_pte_at+x28/x54)
   (set_pte_at) from (remap_pfn_range+x1a/x274)
   (remap_pfn_range) from (uio_mmap+x184/x1b8 [uio])
   (uio_mmap [uio]) from (__mmap_region+x264/x5f4)
   (__mmap_region) from (__do_mmap_mm+x3ec/x440)
   (__do_mmap_mm) from (do_mmap+x50/x58)
   (do_mmap) from (vm_mmap_pgoff+xfc/x188)
   (vm_mmap_pgoff) from (ksys_mmap_pgoff+xac/xc4)
   (ksys_mmap_pgoff) from (ret_fast_syscall+x/x5c)
  Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)
  ---[ end trace 09cf0734c3805d52 ]---
  Kernel panic - not syncing: Fatal exception

Fortunately, the vulnerability can be resolved by checking if the PG_reserved flag has been set. This ensures that the kernel does not attempt to handle memory mappings for reserved but unmapped pages. The patch for this issue has been applied to the Linux kernel, mitigating the risk associated with CVE-2024-26947.

For more details on this vulnerability and its resolution, please refer to the original report [1] on the Linux Kernel Mailing List.

[1]: https://lore.kernel.org/lkml/Zbtdue57ROQScJM@linux.ibm.com/

Timeline

Published on: 05/01/2024 06:15:10 UTC
Last modified on: 05/29/2024 05:25:40 UTC