CVE-2024-35797

1) A swapin error can have resulted in a poisoned swap entry in the shmem inode's xarray. Calling getshadowfromswapcache() on it will result in an out-of-bounds access to swapper_spaces[].

Validate the entry with nonswapentry() before going further.

2) When we find a valid swap entry in the shmem's inode, the shadow entry in the swapcache might not exist yet: swap IO is still in progress and we're before _removemapping; swapin, invalidation, or swapoff have removed the shadow from swapcache after we saw the shmem swap entry.

This will send a NULL to workingsettestrecent(). The latter purely operates on pointer bits, so it won't crash - node 0, memcg ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a bogus test. In theory that could result in a false "recently evicted" count.

Such a false positive wouldn't be the end of the world. But for code clarity and (future) robustness, be explicit about this case.

Bail on getshadowfromswapcache() returning NULL.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

cf264e1329fb0307e044f7675849f9f38b44c11a

Fixed

b79f9e1ff27c994a4c452235ba09e672ec698e23

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

cf264e1329fb0307e044f7675849f9f38b44c11a

Fixed

d962f6c583458037dc7e529659b2b02b9dd3d94b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

cf264e1329fb0307e044f7675849f9f38b44c11a

Fixed

24a0e73d544439bb9329fbbafac44299e548a677

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

cf264e1329fb0307e044f7675849f9f38b44c11a

Fixed

d5d39c707a4cf0bcc84680178677b97aa2cb2627

Affected versions

v6.*

v6.4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.10

v6.7.11

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

v6.8.2

v6.9-rc1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-35797-1b161daf",
        "target": {
            "file": "mm/filemap.c",
            "function": "filemap_cachestat"
        },
        "digest": {
            "length": 1114.0,
            "function_hash": "192200486150321592379471245792757658638"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d962f6c583458037dc7e529659b2b02b9dd3d94b",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-35797-8f30eae5",
        "target": {
            "file": "mm/filemap.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "54635161668443040343090476350748340384",
                "181616362904878281449699311122492575212",
                "73089063077801730080726332328103537544",
                "221436267860269095891710196911331216004"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d962f6c583458037dc7e529659b2b02b9dd3d94b",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.6.24

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.12

Type: ECOSYSTEM
Events: Introduced

6.8.0

Fixed

6.8.3