CVE-2024-50022

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50022
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50022.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-50022
Downstream
Related
Published
2024-10-21T19:39:27.873Z
Modified
2025-11-20T06:56:17.021349Z
Summary
device-dax: correct pgoff align in dax_set_mapping()
Details

In the Linux kernel, the following vulnerability has been resolved:

device-dax: correct pgoff align in daxsetmapping()

pgoff should be aligned using ALIGNDOWN() instead of ALIGN(). Otherwise, vmf->address not aligned to faultsize will be aligned to the next alignment, that can result in memory failure getting the wrong address.

It's a subtle situation that only can be observed in pagemappedinvma() after the page is page fault handled by devdaxhugefault. Generally, there is little chance to perform pagemappedinvma in dev-dax's page unless in specific error injection to the dax device to trigger an MCE - memory-failure. In that case, pagemappedinvma() will be triggered to determine which task is accessing the failure address and kill that task in the end.

We used self-developed dax device (which is 2M aligned mapping) , to perform error injection to random address. It turned out that error injected to non-2M-aligned address was causing endless MCE until panic. Because pagemappedin_vma() kept resulting wrong address and the task accessing the failure address was never killed properly:

[ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.049006] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.448042] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.792026] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.162502] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.461116] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.764730] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.042128] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.464293] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.818090] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3787.085297] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page: Recovered

It took us several weeks to pinpoint this problem,  but we eventually used bpftrace to trace the page fault and mce address and successfully identified the issue.

Joao added:

; Likely we never reproduce in production because we always pin : device-dax regions in the region align they provide (Qemu does : similarly with prealloc in hugetlb/file backed memory). I think this : bug requires that we touch unpinned device-dax regions unaligned to : the device-dax selected alignment (page size i.e. 4K/2M/1G)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b9b5777f09be84d0de472ded2253d2f5101427f2
Fixed
9c4198dfdca818c5ce19c764d90eabd156bbc6da
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b9b5777f09be84d0de472ded2253d2f5101427f2
Fixed
b822007e8db341d6f175c645ed79866db501ad86
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b9b5777f09be84d0de472ded2253d2f5101427f2
Fixed
e877427d218159ac29c9326100920d24330c9ee6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b9b5777f09be84d0de472ded2253d2f5101427f2
Fixed
7fcbd9785d4c17ea533c42f20a9083a83f301fa6

Affected versions

v5.*

v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.101
v6.1.102
v6.1.103
v6.1.104
v6.1.105
v6.1.106
v6.1.107
v6.1.108
v6.1.109
v6.1.11
v6.1.110
v6.1.111
v6.1.112
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.12-rc1
v6.12-rc2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "255523872479182455813402012871739729214",
                "131924743838808245142077958612036104399",
                "151300951202217743895549581017924323051",
                "257134634160848892176806784443413413343"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e877427d218159ac29c9326100920d24330c9ee6",
        "target": {
            "file": "drivers/dax/device.c"
        },
        "id": "CVE-2024-50022-037188c5"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "255523872479182455813402012871739729214",
                "131924743838808245142077958612036104399",
                "151300951202217743895549581017924323051",
                "257134634160848892176806784443413413343"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9c4198dfdca818c5ce19c764d90eabd156bbc6da",
        "target": {
            "file": "drivers/dax/device.c"
        },
        "id": "CVE-2024-50022-082f121c"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "255523872479182455813402012871739729214",
                "131924743838808245142077958612036104399",
                "151300951202217743895549581017924323051",
                "257134634160848892176806784443413413343"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b822007e8db341d6f175c645ed79866db501ad86",
        "target": {
            "file": "drivers/dax/device.c"
        },
        "id": "CVE-2024-50022-0eb44043"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "255523872479182455813402012871739729214",
                "131924743838808245142077958612036104399",
                "151300951202217743895549581017924323051",
                "257134634160848892176806784443413413343"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7fcbd9785d4c17ea533c42f20a9083a83f301fa6",
        "target": {
            "file": "drivers/dax/device.c"
        },
        "id": "CVE-2024-50022-d2dc78ec"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
6.1.113
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.57
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.11.4