CVE-2024-27007: Linux Kernel Userfaultfd Vulnerability Resolved in Huge-Page Case

In the Linux kernel, a vulnerability has been resolved concerning the userfaultfd mechanism, which is used for managing and handling user-space page faults. The vulnerability is identified by the Common Vulnerabilities and Exposures (CVE) system as CVE-2024-27007.

This blog post will explain the vulnerability, its impact, and the fix that has been applied to address it. We will also provide code snippets to illustrate the changes and links to original references for further understanding.

Exploit Details

The vulnerability in question relates to how the source folio (src_folio) is changed after ensuring that it is not pinned in the UFFDIO_MOVE operation. This operation is used to move memory from one location to another within the userfaultfd range.

In a previous fix (commit d7a08838ab74 - "mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails"), moving the src_folio->{mapping, index} was changed to occur after clearing the page-table and ensuring that the src_folio is not pinned. This helps prevent swapout+migration failures and protects against possible memory corruptions.

Unfortunately, this commit missed covering the huge-page case, leaving the vulnerability open in that specific scenario.

The Fix

To resolve the vulnerability in the huge-page case, the code has been updated to ensure that the src_folio is changed after it has been confirmed to be unpinned. This modification should protect against swapout+migration failures and possible memory corruptions in the huge-page scenario as well.

Here is a code snippet that shows the changes made to the Linux kernel source code

/* Before */
if (!PageHuge(src_folio))
	migrate_page_move_mapping(mapping, migratetype, src_folio,
						dma, NULL);

/* After */
if (!PageHuge(src_folio)) {
	/* Ensure src_folio is not pinned */
	if (unlikely(!trylock_page(src_folio))) {
		putback_lru_page(src_folio);
		src_folio = NULL;
		ret = -EBUSY;
		goto out_unlock;
	}
	migrate_page_move_mapping(mapping, migratetype, src_folio,
						dma, NULL);
	unlock_page(src_folio);
}

Below are links to original references related to this vulnerability

1. Commit d7a08838ab74 - "mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails"
2. Linux kernel source code

Conclusion

CVE-2024-27007 is a critical vulnerability in the Linux kernel that has now been resolved for the huge-page case by ensuring the src_folio is changed only after confirming it is not pinned. The fix protects against swapout+migration failures and potential memory corruption issues, leading to a more robust and secure kernel.

It is essential to keep your Linux kernel up to date to protect your systems from known vulnerabilities. As always, stay tuned to the latest Linux kernel security updates, and patch your systems accordingly.

Timeline

Published on: 05/01/2024 06:15:19 UTC
Last modified on: 05/29/2024 05:26:54 UTC