CVE-2024-42233

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-42233
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42233.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-42233
Downstream
Published
2024-08-07T15:14:23Z
Modified
2025-10-22T00:42:34.048446Z
Summary
filemap: replace pte_offset_map() with pte_offset_map_nolock()
Details

In the Linux kernel, the following vulnerability has been resolved:

filemap: replace pteoffsetmap() with pteoffsetmap_nolock()

The vmf->ptl in filemapfaultrecheckptenone() is still set from handleptefault(). But at the same time, we did a pteunmap(vmf->pte). After a pteunmap(vmf->pte) unmap and rcureadunlock(), the page table may be racily changed and vmf->ptl maybe fails to protect the actual page table. Fix this by replacing pteoffsetmap() with pteoffsetmap_nolock().

As David said, the PTL pointer might be stale so if we continue to use it infilemapfaultrecheckptenone(), it might trigger UAF. Also, if the PTL fails, the issue fixed by commit 58f327f2ce80 ("filemap: avoid unnecessary major faults in filemap_fault()") might reappear.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
58f327f2ce80f9c7b4a70e9cf017ae8810d44a20
Fixed
6a6c2aec1a89506595801b4cf7e8eef035f33748
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
58f327f2ce80f9c7b4a70e9cf017ae8810d44a20
Fixed
24be02a42181f0707be0498045c4c4b13273b16d

Affected versions

v6.*

v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.8
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.9.10