CVE-2024-40915

_kernelmap_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages.

This function set/clear the valid bit using _setmemory(). _setmemory() acquires initmm's semaphore, and this operation may sleep. This is problematic, because _kernelmappages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes:

BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 2, name: kthreadd preemptcount: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff800060dc>] dumpbacktrace+0x1c/0x24 [<ffffffff8091ef6e>] showstack+0x2c/0x38 [<ffffffff8092baf8>] dumpstacklvl+0x5a/0x72 [<ffffffff8092bb24>] dumpstack+0x14/0x1c [<ffffffff8003b7ac>] _mightresched+0x104/0x10e [<ffffffff8003b7f4>] _mightsleep+0x3e/0x62 [<ffffffff8093276a>] downwrite+0x20/0x72 [<ffffffff8000cf00>] _setmemory+0x82/0x2fa [<ffffffff8000d324>] _kernelmappages+0x5a/0xd4 [<ffffffff80196cca>] _allocpagesbulk+0x3b2/0x43a [<ffffffff8018ee82>] _vmallocnoderange+0x196/0x6ba [<ffffffff80011904>] copyprocess+0x72c/0x17ec [<ffffffff80012ab4>] kernelclone+0x60/0x2fe [<ffffffff80012f62>] kernelthread+0x82/0xa0 [<ffffffff8003552c>] kthreadd+0x14a/0x1be [<ffffffff809357de>] retfromfork+0xe/0x1c

Rewrite this function with applytoexistingpagerange(). It is fine to not have any locking, because _kernelmap_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5fde3db5eb028b95aeefa1ab192d36800414e8b8

Fixed

919f8626099d9909b9a9620b05e8c8ab06581876

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5fde3db5eb028b95aeefa1ab192d36800414e8b8

Fixed

8661a7af04991201640863ad1a0983173f84b5eb

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5fde3db5eb028b95aeefa1ab192d36800414e8b8

Fixed

d5257ceb19d92069195254866421f425aea42915

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5fde3db5eb028b95aeefa1ab192d36800414e8b8

Fixed

fb1cf0878328fe75d47f0aed0a65b30126fcefc4

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.6

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.9

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

v6.9.1

v6.9.2

v6.9.3

v6.9.4

v6.9.5

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5257ceb19d92069195254866421f425aea42915",
        "target": {
            "file": "arch/riscv/mm/pageattr.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "148126207944728173651656797549629591118",
                "42297094463228431792522376150873166176",
                "105734223747640000971967129990020537227",
                "189604853587076892682893690935937348650",
                "339779487458405179493239827246561934115",
                "112070571865624452891866612536450817144",
                "60366805529988115294253836754594333204",
                "93811107597686835600187859499391529045",
                "54304844835848699155242500152542850532",
                "93851728560124950505959665612632189405",
                "287273060614530404081436898147662164857",
                "42070807573537205137218171276935865394",
                "38435564151044321187547943942400838353",
                "211086035157734148709472859148155041485"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-40915-01080943"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8661a7af04991201640863ad1a0983173f84b5eb",
        "target": {
            "function": "__kernel_map_pages",
            "file": "arch/riscv/mm/pageattr.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "177440876833028715063345196142187379521",
            "length": 327.0
        },
        "id": "CVE-2024-40915-159d8995"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb1cf0878328fe75d47f0aed0a65b30126fcefc4",
        "target": {
            "function": "__kernel_map_pages",
            "file": "arch/riscv/mm/pageattr.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "177440876833028715063345196142187379521",
            "length": 327.0
        },
        "id": "CVE-2024-40915-247cf20b"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5257ceb19d92069195254866421f425aea42915",
        "target": {
            "function": "__kernel_map_pages",
            "file": "arch/riscv/mm/pageattr.c"
        },
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "177440876833028715063345196142187379521",
            "length": 327.0
        },
        "id": "CVE-2024-40915-2bb54193"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8661a7af04991201640863ad1a0983173f84b5eb",
        "target": {
            "file": "arch/riscv/mm/pageattr.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "148126207944728173651656797549629591118",
                "42297094463228431792522376150873166176",
                "105734223747640000971967129990020537227",
                "189604853587076892682893690935937348650",
                "339779487458405179493239827246561934115",
                "112070571865624452891866612536450817144",
                "60366805529988115294253836754594333204",
                "93811107597686835600187859499391529045",
                "54304844835848699155242500152542850532",
                "93851728560124950505959665612632189405",
                "287273060614530404081436898147662164857",
                "42070807573537205137218171276935865394",
                "38435564151044321187547943942400838353",
                "211086035157734148709472859148155041485"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-40915-432a9883"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb1cf0878328fe75d47f0aed0a65b30126fcefc4",
        "target": {
            "file": "arch/riscv/mm/pageattr.c"
        },
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "148126207944728173651656797549629591118",
                "42297094463228431792522376150873166176",
                "105734223747640000971967129990020537227",
                "189604853587076892682893690935937348650",
                "339779487458405179493239827246561934115",
                "112070571865624452891866612536450817144",
                "60366805529988115294253836754594333204",
                "93811107597686835600187859499391529045",
                "54304844835848699155242500152542850532",
                "93851728560124950505959665612632189405",
                "287273060614530404081436898147662164857",
                "42070807573537205137218171276935865394",
                "38435564151044321187547943942400838353",
                "211086035157734148709472859148155041485"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-40915-5b81204b"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.7.0

Fixed

6.1.95

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.35

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.9.6