CVE-2024-35797

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35797
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35797.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-35797
Downstream
Related
Published
2024-05-17T13:23:08Z
Modified
2025-10-21T21:26:09.114585Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
mm: cachestat: fix two shmem bugs
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: cachestat: fix two shmem bugs

When cachestat on shmem races with swapping and invalidation, there are two possible bugs:

1) A swapin error can have resulted in a poisoned swap entry in the shmem inode's xarray. Calling getshadowfromswapcache() on it will result in an out-of-bounds access to swapper_spaces[].

Validate the entry with nonswapentry() before going further.

2) When we find a valid swap entry in the shmem's inode, the shadow entry in the swapcache might not exist yet: swap IO is still in progress and we're before _removemapping; swapin, invalidation, or swapoff have removed the shadow from swapcache after we saw the shmem swap entry.

This will send a NULL to workingsettestrecent(). The latter purely operates on pointer bits, so it won't crash - node 0, memcg ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a bogus test. In theory that could result in a false "recently evicted" count.

Such a false positive wouldn't be the end of the world. But for code clarity and (future) robustness, be explicit about this case.

Bail on getshadowfromswapcache() returning NULL.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cf264e1329fb0307e044f7675849f9f38b44c11a
Fixed
b79f9e1ff27c994a4c452235ba09e672ec698e23
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cf264e1329fb0307e044f7675849f9f38b44c11a
Fixed
d962f6c583458037dc7e529659b2b02b9dd3d94b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cf264e1329fb0307e044f7675849f9f38b44c11a
Fixed
24a0e73d544439bb9329fbbafac44299e548a677
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cf264e1329fb0307e044f7675849f9f38b44c11a
Fixed
d5d39c707a4cf0bcc84680178677b97aa2cb2627

Affected versions

v6.*

v6.4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.10
v6.7.11
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.9
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.9-rc1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.24
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.12
Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.8.3