CVE-2024-27022: Linux Kernel Vulnerability Resolved - Fork Defer Linking File VMA Until Fully Initialized

A vulnerability has been identified and resolved in the Linux kernel, specifically impacting the fork system call and virtual memory areas (VMAs) related to the file implementation. This post provides the details about this vulnerability, CVE-2024-27022, including context, code snippets, and original references.

Background

Thorvald first reported a WARNING [1], which was caused by a race condition in the Linux kernel. The issue involves the fork system call and the hugetlbfs_fallocate function, which can lead to unexpected behavior and potentially exploitable vulnerabilities. The problem lies within the initialization and handling of VMAs related to file mappings.

Exploit Details

The race condition occurs when the fork system call is being executed on one CPU while the hugetlbfs_fallocate function is called on another CPU. The VMAs are not fully initialized before being linked to the file mapping, which can lead to unexpected behavior and potential vulnerabilities.

Here is a code snippet illustrating the race situation

 CPU 1					CPU 2
 fork					hugetlbfs_fallocate
  dup_mmap				 hugetlbfs_punch_hole
   i_mmap_lock_write(mapping);
   vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.
   i_mmap_unlock_write(mapping);
   hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!
					 i_mmap_lock_write(mapping);
   					 hugetlb_vmdelete_list
					  vma_interval_tree_foreach
					   hugetlb_vma_trylock_write -- Vma_lock is cleared.
   tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!
					   hugetlb_vma_unlock_write -- Vma_lock is assigned!!!
					 i_mmap_unlock_write(mapping);

The fix for this issue involves deferring the linking of the file VMA until the VMA is fully initialized. By ensuring that the VMAs are properly initialized before they can be used, this vulnerability can be mitigated.

The patch that addresses this vulnerability can be found in the following link

- Linux Kernel Mailing List - fork: defer linking file vma until vma is fully initialized

This patch ensures that the VMAs are fully initialized before being linked to the file mapping, addressing the race condition and eliminating the vulnerability.

Conclusion

CVE-2024-27022 is a vulnerability in the Linux kernel affecting the fork system call and VMAs related to file mappings. The issue is caused by a race condition involving the initialization and handling of VMAs. By deferring the linking of the file VMA until it is fully initialized, this vulnerability can be resolved. It is highly recommended that affected users apply the provided patch to ensure system security and stability.

References

1. Linux Kernel Mailing List - WARNING: kernel BUG at ... memory.c

Timeline

Published on: 05/01/2024 06:15:21 UTC
Last modified on: 06/21/2024 14:15:11 UTC