CVE-2024-27022
Vulnerability from cvelistv5
Published
2024-05-01 05:35
Modified
2024-12-19 08:52
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.
Impacted products
Vendor Product Version
Linux Linux Version: 6.1
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.791Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/04b0c41912349aff11a1bbaef6a722bd7fbb90ac"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dd782da470761077f4d1120e191f1a35787cda6e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-27022",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:44:40.515074Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:37.775Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/fork.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c42f7e039aba3de6d7dbf92da708e2b2ecba557",
              "status": "affected",
              "version": "8d9bfb2608145cf3e408428c224099e1585471af",
              "versionType": "git"
            },
            {
              "lessThan": "04b0c41912349aff11a1bbaef6a722bd7fbb90ac",
              "status": "affected",
              "version": "8d9bfb2608145cf3e408428c224099e1585471af",
              "versionType": "git"
            },
            {
              "lessThan": "cec11fa2eb512ebe3a459c185f4aca1d44059bbf",
              "status": "affected",
              "version": "8d9bfb2608145cf3e408428c224099e1585471af",
              "versionType": "git"
            },
            {
              "lessThan": "dd782da470761077f4d1120e191f1a35787cda6e",
              "status": "affected",
              "version": "8d9bfb2608145cf3e408428c224099e1585471af",
              "versionType": "git"
            },
            {
              "lessThan": "abdb88dd272bbeb93efe01d8e0b7b17e24af3a34",
              "status": "affected",
              "version": "8d9bfb2608145cf3e408428c224099e1585471af",
              "versionType": "git"
            },
            {
              "lessThan": "35e351780fa9d8240dd6f7e4f245f9ea37e96c19",
              "status": "affected",
              "version": "8d9bfb2608145cf3e408428c224099e1585471af",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/fork.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.90",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfork: defer linking file vma until vma is fully initialized\n\nThorvald reported a WARNING [1]. And the root cause is below race:\n\n CPU 1\t\t\t\t\tCPU 2\n fork\t\t\t\t\thugetlbfs_fallocate\n  dup_mmap\t\t\t\t hugetlbfs_punch_hole\n   i_mmap_lock_write(mapping);\n   vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.\n   i_mmap_unlock_write(mapping);\n   hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t i_mmap_lock_write(mapping);\n   \t\t\t\t\t hugetlb_vmdelete_list\n\t\t\t\t\t  vma_interval_tree_foreach\n\t\t\t\t\t   hugetlb_vma_trylock_write -- Vma_lock is cleared.\n   tmp-\u003evm_ops-\u003eopen -- Alloc new vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t   hugetlb_vma_unlock_write -- Vma_lock is assigned!!!\n\t\t\t\t\t i_mmap_unlock_write(mapping);\n\nhugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside\ni_mmap_rwsem lock while vma lock can be used in the same time.  Fix this\nby deferring linking file vma until vma is fully initialized.  Those vmas\nshould be initialized first before they can be used."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:52:41.276Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557"
        },
        {
          "url": "https://git.kernel.org/stable/c/04b0c41912349aff11a1bbaef6a722bd7fbb90ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd782da470761077f4d1120e191f1a35787cda6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34"
        },
        {
          "url": "https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19"
        }
      ],
      "title": "fork: defer linking file vma until vma is fully initialized",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-27022",
    "datePublished": "2024-05-01T05:35:39.627Z",
    "dateReserved": "2024-02-19T14:20:24.210Z",
    "dateUpdated": "2024-12-19T08:52:41.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-27022\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-01T06:15:21.110\",\"lastModified\":\"2024-11-21T09:03:41.010\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfork: defer linking file vma until vma is fully initialized\\n\\nThorvald reported a WARNING [1]. And the root cause is below race:\\n\\n CPU 1\\t\\t\\t\\t\\tCPU 2\\n fork\\t\\t\\t\\t\\thugetlbfs_fallocate\\n  dup_mmap\\t\\t\\t\\t hugetlbfs_punch_hole\\n   i_mmap_lock_write(mapping);\\n   vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.\\n   i_mmap_unlock_write(mapping);\\n   hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!\\n\\t\\t\\t\\t\\t i_mmap_lock_write(mapping);\\n   \\t\\t\\t\\t\\t hugetlb_vmdelete_list\\n\\t\\t\\t\\t\\t  vma_interval_tree_foreach\\n\\t\\t\\t\\t\\t   hugetlb_vma_trylock_write -- Vma_lock is cleared.\\n   tmp-\u003evm_ops-\u003eopen -- Alloc new vma_lock outside i_mmap_rwsem!\\n\\t\\t\\t\\t\\t   hugetlb_vma_unlock_write -- Vma_lock is assigned!!!\\n\\t\\t\\t\\t\\t i_mmap_unlock_write(mapping);\\n\\nhugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside\\ni_mmap_rwsem lock while vma lock can be used in the same time.  Fix this\\nby deferring linking file vma until vma is fully initialized.  Those vmas\\nshould be initialized first before they can be used.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: fork: posponga la vinculaci\u00f3n del archivo vma hasta que vma est\u00e9 completamente inicializado. Thorvald inform\u00f3 una ADVERTENCIA [1]. Y la causa ra\u00edz est\u00e1 por debajo de la raza: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after: el vma secundario es visible a trav\u00e9s del \u00e1rbol i_mmap. i_mmap_unlock_write(mapeo); enormetlb_dup_vma_private: \u00a1borre vma_lock fuera de i_mmap_rwsem! i_mmap_lock_write(mapeo); Hugetlb_vmdelete_list vma_interval_tree_foreach Hugetlb_vma_trylock_write: Vma_lock est\u00e1 borrado. tmp-\u0026gt;vm_ops-\u0026gt;open - \u00a1Asigne nuevo vma_lock fuera de i_mmap_rwsem! enormetlb_vma_unlock_write - \u00a1\u00a1\u00a1Vma_lock est\u00e1 asignado!!! i_mmap_unlock_write(mapeo); Hugetlb_dup_vma_private() y hugetlb_vm_op_open() se llaman fuera del bloqueo i_mmap_rwsem, mientras que el bloqueo vma se puede utilizar al mismo tiempo. Solucione este problema posponiendo la vinculaci\u00f3n del archivo vma hasta que vma est\u00e9 completamente inicializado. Esos vmas deben inicializarse primero antes de poder usarlos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1\",\"versionEndExcluding\":\"6.1.90\",\"matchCriteriaId\":\"A3D09CE2-613D-4A40-BA4F-D0E43023E4C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.30\",\"matchCriteriaId\":\"84046DAF-73CF-429D-9BA4-05B658B377B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.8.8\",\"matchCriteriaId\":\"673B3328-389D-41A4-9617-669298635262\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"52048DDA-FC5A-4363-95A0-A6357B4D7F8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A06B2CCF-3F43-4FA9-8773-C83C3F5764B2\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/04b0c41912349aff11a1bbaef6a722bd7fbb90ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dd782da470761077f4d1120e191f1a35787cda6e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/04b0c41912349aff11a1bbaef6a722bd7fbb90ac\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dd782da470761077f4d1120e191f1a35787cda6e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.