CVE-2024-57883 - Linux Kernel Vulnerability: Independent PMD Page Table Shared Count in mm: hugetlb

A new vulnerability has been discovered in the Linux kernel related to the handling of independent PMD page tables. This vulnerability, identified as CVE-2024-57883, can lead to unintended changes in the folio refcount and result in a leaked page table. This post aims to provide a detailed explanation of the vulnerability, code snippets, links to original references, and exploit details.

Vulnerability Details

The issue arises when the folio refcount is unexpectedly increased through the try_get_folio() function by callers such as split_huge_pages. In huge_pmd_unshare(), the refcount is checked to determine if a PMD page table is shared. However, this check can be incorrect if the refcount is increased by the aforementioned caller, ultimately causing the page table to leak:

BUG: Bad page state in process sh  pfn:109324
page: refcount: mapcount: mapping:000000000000000 index:x66 pfn:x109324
flags: x17ffff800000000(node=|zone=2|lastcpupid=xfffff)
...

The issue might be triggered by damon, offline_page, page_idle, etc., which would increase the refcount of the page table. The following consequences can occur:

The page table itself will be discarded after reporting the "nonzero mapcount."

2. The HugeTLB page mapped by the page table will not be freed since the shared page table is not unmapped.

Solution

To fix this vulnerability, an independent PMD page table shared count is introduced. As described in the comments, pt_index/pt_mm/pt_frag_refcount are used for s390 gmap, x86 pgds, and powerpc, while pt_share_count is used for x86/arm64/riscv pmds. The field can thus be reused as pt_share_count.

Original references and patches related to this vulnerability can be found at the links below

- Patch 1/2: folio: introduce page_pt_share_count()
- Patch 2/2: hugetlbfs: maintain independent PMD page table shared count

Conclusion

CVE-2024-57883 is a critical vulnerability in the Linux kernel that can result in a leaked page table. It is essential for Linux kernel developers and maintainers to be aware of this issue and apply the appropriate patches to their systems. By introducing an independent PMD page table shared count, this vulnerability can be resolved, ensuring the stable and secure operation of the Linux kernel.

Timeline

Published on: 01/15/2025 13:15:12 UTC
Last modified on: 01/20/2025 06:28:50 UTC