CVE-2024-27022

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27022
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27022.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-27022
Downstream
Related
Published
2024-05-01T05:35:39Z
Modified
2025-10-15T09:07:57.718861Z
Summary
fork: defer linking file vma until vma is fully initialized
Details

In the Linux kernel, the following vulnerability has been resolved:

fork: defer linking file vma until vma is fully initialized

Thorvald reported a WARNING [1]. And the root cause is below race:

CPU 1 CPU 2 fork hugetlbfsfallocate dupmmap hugetlbfspunchhole immaplockwrite(mapping); vmaintervaltreeinsertafter -- Child vma is visible through immap tree. immapunlockwrite(mapping); hugetlbdupvmaprivate -- Clear vmalock outside immaprwsem! immaplockwrite(mapping); hugetlbvmdeletelist vmaintervaltreeforeach hugetlbvmatrylockwrite -- Vmalock is cleared. tmp->vmops->open -- Alloc new vmalock outside immaprwsem! hugetlbvmaunlockwrite -- Vmalock is assigned!!! immapunlockwrite(mapping);

hugetlbdupvmaprivate() and hugetlbvmopopen() are called outside immaprwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8d9bfb2608145cf3e408428c224099e1585471af
Fixed
abdb88dd272bbeb93efe01d8e0b7b17e24af3a34
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
8d9bfb2608145cf3e408428c224099e1585471af
Fixed
35e351780fa9d8240dd6f7e4f245f9ea37e96c19

Affected versions

v6.*

v6.0
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abdb88dd272bbeb93efe01d8e0b7b17e24af3a34",
            "signature_type": "Line",
            "target": {
                "file": "kernel/fork.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "4399987533757603770671843324208812196",
                    "321689459279115594425085382555534876519",
                    "254577188029899203364295065082991605318",
                    "14826449155807757031966669423832149279",
                    "289128195497148162080431874845565431222",
                    "332898848559431906416902623283369077602",
                    "247511779865420991314233689511371285381",
                    "104583346785158407057609979364916845471",
                    "155063948034644845115821660252913177247",
                    "313340266186718893671042436684020974928",
                    "76158572329845274791580400443641431309",
                    "145840019012278906845303443044198959676",
                    "249414444906711250051323917351242638754",
                    "336175453381225048991963951080469629246",
                    "80062990219649173737896100883731841511"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-27022-4a180592"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abdb88dd272bbeb93efe01d8e0b7b17e24af3a34",
            "signature_type": "Function",
            "target": {
                "function": "dup_mmap",
                "file": "kernel/fork.c"
            },
            "deprecated": false,
            "digest": {
                "length": 2738.0,
                "function_hash": "121788053258155099944162709800893328600"
            },
            "id": "CVE-2024-27022-72fd6109"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35e351780fa9d8240dd6f7e4f245f9ea37e96c19",
            "signature_type": "Function",
            "target": {
                "function": "dup_mmap",
                "file": "kernel/fork.c"
            },
            "deprecated": false,
            "digest": {
                "length": 2738.0,
                "function_hash": "121788053258155099944162709800893328600"
            },
            "id": "CVE-2024-27022-a0908224"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35e351780fa9d8240dd6f7e4f245f9ea37e96c19",
            "signature_type": "Line",
            "target": {
                "file": "kernel/fork.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "4399987533757603770671843324208812196",
                    "321689459279115594425085382555534876519",
                    "254577188029899203364295065082991605318",
                    "14826449155807757031966669423832149279",
                    "289128195497148162080431874845565431222",
                    "332898848559431906416902623283369077602",
                    "247511779865420991314233689511371285381",
                    "104583346785158407057609979364916845471",
                    "155063948034644845115821660252913177247",
                    "313340266186718893671042436684020974928",
                    "76158572329845274791580400443641431309",
                    "145840019012278906845303443044198959676",
                    "249414444906711250051323917351242638754",
                    "336175453381225048991963951080469629246",
                    "80062990219649173737896100883731841511"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-27022-a3f0073d"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.8.8