A recent vulnerability was discovered in the Linux kernel, specifically in the mm/vmalloc subsystem. The vulnerability could have led to a situation where a call to vmalloc with the __GFP_NOFAIL flag would still return 'NULL', potentially leading to unexpected behavior in user applications. The vulnerability has now been resolved with the necessary changes made to the kernel source code.

The Linux kernel commit that introduced the vulnerability (a421ef303008) added support for the __GFP_NOFAIL flag to work with kvmalloc, but it conflicted with another commit (dd544141b9eb) that made changes to the OOM-killer (out-of-memory killer) behavior. In a typical scenario, the following could occur:

The function being called eventually reaches the vm_area_alloc_pages() function.

3. If the OOM-killer sends a SIGKILL signal to process-a, the vm_area_alloc_pages() function would break, returning NULL even though it should never do that because of the __GFP_NOFAIL flag being set.

Here's an extract from the code with the important parts highlighted

process-a
__vmalloc_node_range(GFP_KERNEL | __GFP_NOFAIL)
    __vmalloc_area_node()
        vm_area_alloc_pages()
            --> oom-killer sends SIGKILL to process-a
        if (fatal_signal_pending(current)) break;
--> return NULL;

The fix made to address this issue involves not checking fatal_signal_pending() in vm_area_alloc_pages() when the __GFP_NOFAIL flag is set. This ensures that vmalloc will not return 'NULL' in such cases, avoiding unexpected behavior in user applications that rely on it.

This issue was discovered during OPLUS KASAN Tests, and the logs of the same are available in the original reference: OPLUS KASAN Test Log.

In conclusion, CVE-2024-39474 highlights an important vulnerability in the Linux kernel's memory management subsystem (mm/vmalloc) that could have impacted user applications relying on the __GFP_NOFAIL flag. The vulnerability has been resolved, and users are recommended to update their kernel to the latest patched version to avoid any potential issues.

1. Linux kernel commit a421ef303008: mm: allow !GFP_KERNEL allocations for kvmalloc
2. Linux kernel commit dd544141b9eb: vmalloc: back off when the current task is OOM-killed
3. OPLUS KASAN Test Log

Timeline

Published on: 07/05/2024 07:15:10 UTC
Last modified on: 07/15/2024 06:50:09 UTC