mm：修复延迟拆分赛车作品集迁移导致的崩溃（CVE-2024-42234）

admin

0
文章

0
评论

2024-08-10 12:27:30 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

mm：修复延迟拆分赛车作品集迁移导致的崩溃（CVE-2024-42234）

CVE编号

CVE-2024-42234

利用情况

暂无

补丁情况

N/A

披露时间

2024-08-08

漏洞描述

In the Linux kernel, the following vulnerability has been resolved: mm: fix crashes from deferred split racing folio migration Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PG_locked had been set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration. 6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferred_split_scan(): it moves folios to its own local list to work on them without split_queue_lock, during which time folio->_deferred_list is not empty, but even the "right" lock does nothing to secure the folio and the list it is on. Fortunately, deferred_split_scan() is careful to use folio_try_get(): so folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it).

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://git.kernel.org/stable/c/be9581ea8c058d81154251cb0695987098996cad
https://git.kernel.org/stable/c/fc7facce686b64201dbf0b9614cc1d0bfad70010

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	debian_11	linux	*		Up to (excluding) 5.10.221-1
	运行在以下环境
	系统	debian_12	linux	*		Up to (excluding) 6.1.99-1
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 6.7	Up to (excluding) 6.9.10