CVE-2024-27022
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-27022
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27022.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-27022
- Downstream
- Related
- Published
- 2024-05-01T05:35:39Z
- Modified
- 2025-10-15T09:07:57.718861Z
- Summary
- fork: defer linking file vma until vma is fully initialized
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
fork: defer linking file vma until vma is fully initialized
Thorvald reported a WARNING [1]. And the root cause is below race:
CPU 1 CPU 2 fork hugetlbfsfallocate dupmmap hugetlbfspunchhole immaplockwrite(mapping); vmaintervaltreeinsertafter -- Child vma is visible through immap tree. immapunlockwrite(mapping); hugetlbdupvmaprivate -- Clear vmalock outside immaprwsem! immaplockwrite(mapping); hugetlbvmdeletelist vmaintervaltreeforeach hugetlbvmatrylockwrite -- Vmalock is cleared. tmp->vmops->open -- Alloc new vmalock outside immaprwsem! hugetlbvmaunlockwrite -- Vmalock is assigned!!! immapunlockwrite(mapping);
hugetlbdupvmaprivate() and hugetlbvmopopen() are called outside immaprwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/04b0c41912349aff11a1bbaef6a722bd7fbb90ac
- https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557
- https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19
- https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34
- https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf
- https://git.kernel.org/stable/c/dd782da470761077f4d1120e191f1a35787cda6e
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8d9bfb2608145cf3e408428c224099e1585471afFixedabdb88dd272bbeb93efe01d8e0b7b17e24af3a34
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced8d9bfb2608145cf3e408428c224099e1585471afFixed35e351780fa9d8240dd6f7e4f245f9ea37e96c19
Affected versions
v6.*
v6.0
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abdb88dd272bbeb93efe01d8e0b7b17e24af3a34",
"signature_type": "Line",
"target": {
"file": "kernel/fork.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"4399987533757603770671843324208812196",
"321689459279115594425085382555534876519",
"254577188029899203364295065082991605318",
"14826449155807757031966669423832149279",
"289128195497148162080431874845565431222",
"332898848559431906416902623283369077602",
"247511779865420991314233689511371285381",
"104583346785158407057609979364916845471",
"155063948034644845115821660252913177247",
"313340266186718893671042436684020974928",
"76158572329845274791580400443641431309",
"145840019012278906845303443044198959676",
"249414444906711250051323917351242638754",
"336175453381225048991963951080469629246",
"80062990219649173737896100883731841511"
],
"threshold": 0.9
},
"id": "CVE-2024-27022-4a180592"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abdb88dd272bbeb93efe01d8e0b7b17e24af3a34",
"signature_type": "Function",
"target": {
"function": "dup_mmap",
"file": "kernel/fork.c"
},
"deprecated": false,
"digest": {
"length": 2738.0,
"function_hash": "121788053258155099944162709800893328600"
},
"id": "CVE-2024-27022-72fd6109"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35e351780fa9d8240dd6f7e4f245f9ea37e96c19",
"signature_type": "Function",
"target": {
"function": "dup_mmap",
"file": "kernel/fork.c"
},
"deprecated": false,
"digest": {
"length": 2738.0,
"function_hash": "121788053258155099944162709800893328600"
},
"id": "CVE-2024-27022-a0908224"
},
{
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35e351780fa9d8240dd6f7e4f245f9ea37e96c19",
"signature_type": "Line",
"target": {
"file": "kernel/fork.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"4399987533757603770671843324208812196",
"321689459279115594425085382555534876519",
"254577188029899203364295065082991605318",
"14826449155807757031966669423832149279",
"289128195497148162080431874845565431222",
"332898848559431906416902623283369077602",
"247511779865420991314233689511371285381",
"104583346785158407057609979364916845471",
"155063948034644845115821660252913177247",
"313340266186718893671042436684020974928",
"76158572329845274791580400443641431309",
"145840019012278906845303443044198959676",
"249414444906711250051323917351242638754",
"336175453381225048991963951080469629246",
"80062990219649173737896100883731841511"
],
"threshold": 0.9
},
"id": "CVE-2024-27022-a3f0073d"
}
]
}