CVE-2023-52934

27.03.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups

In commit 34488399fa08 ("mm/madvise: add file and shmem support to
MADV_COLLAPSE") we make the following change to find_pmd_or_thp_or_none():

	-       if (!pmd_present(pmde))
	-               return SCAN_PMD_NULL;
	+       if (pmd_none(pmde))
	+               return SCAN_PMD_NONE;

This was for-use by MADV_COLLAPSE file/shmem codepaths, where
MADV_COLLAPSE might identify a pte-mapped hugepage, only to have
khugepaged race-in, free the pte table, and clear the pmd.  Such codepaths
include:

A) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER
   already in the pagecache.
B) In retract_page_tables(), if we fail to grab mmap_lock for the target
   mm/address.

In these cases, collapse_pte_mapped_thp() really does expect a none (not
just !present) pmd, and we want to suitably identify that case separate
from the case where no pmd is found, or it's a bad-pmd (of course, many
things could happen once we drop mmap_lock, and the pmd could plausibly
undergo multiple transitions due to intervening fault, split, etc). 
Regardless, the code is prepared install a huge-pmd only when the existing
pmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd.

However, the commit introduces a logical hole; namely, that we've allowed
!none- && !huge- && !bad-pmds to be classified as genuine
pte-table-mapping-pmds.  One such example that could leak through are swap
entries.  The pmd values aren't checked again before use in
pte_offset_map_lock(), which is expecting nothing less than a genuine
pte-table-mapping-pmd.

We want to put back the !pmd_present() check (below the pmd_none() check),
but need to be careful to deal with subtleties in pmd transitions and
treatments by various arch.

The issue is that __split_huge_pmd_locked() temporarily clears the present
bit (or otherwise marks the entry as invalid), but pmd_present() and
pmd_trans_huge() still need to return true while the pmd is in this
transitory state.  For example, x86's pmd_present() also checks the
_PAGE_PSE , riscv's version also checks the _PAGE_LEAF bit, and arm64 also
checks a PMD_PRESENT_INVALID bit.

Covering all 4 cases for x86 (all checks done on the same pmd value):

1) pmd_present() && pmd_trans_huge()
   All we actually know here is that the PSE bit is set. Either:
   a) We aren't racing with __split_huge_page(), and PRESENT or PROTNONE
      is set.
      => huge-pmd
   b) We are currently racing with __split_huge_page().  The danger here
      is that we proceed as-if we have a huge-pmd, but really we are
      looking at a pte-mapping-pmd.  So, what is the risk of this
      danger?

      The only relevant path is:

	madvise_collapse() -> collapse_pte_mapped_thp()

      Where we might just incorrectly report back "success", when really
      the memory isn't pmd-backed.  This is fine, since split could
      happen immediately after (actually) successful madvise_collapse().
      So, it should be safe to just assume huge-pmd here.

2) pmd_present() && !pmd_trans_huge()
   Either:
   a) PSE not set and either PRESENT or PROTNONE is.
      => pte-table-mapping pmd (or PROT_NONE)
   b) devmap.  This routine can be called immediately after
      unlocking/locking mmap_lock -- or called with no locks held (see
      khugepaged_scan_mm_slot()), so previous VMA checks have since been
      invalidated.

3) !pmd_present() && pmd_trans_huge()
  Not possible.

4) !pmd_present() && !pmd_trans_huge()
  Neither PRESENT nor PROTNONE set
  => not present

I've checked all archs that implement pmd_trans_huge() (arm64, riscv,
powerpc, longarch, x86, mips, s390) and this logic roughly translates
(though devmap treatment is unique to x86 and powerpc, and (3) doesn't
necessarily hold in general -- but that doesn't matter since
!pmd_present() always takes failure path).

Also, add a comment above find_pmd_or_thp_or_none()
---truncated---

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
linux	linux_kernel	6.1 ≤ 𝑥 < 6.1.11
linux	linux_kernel	6.2:rc1
linux	linux_kernel	6.2:rc2
linux	linux_kernel	6.2:rc3
linux	linux_kernel	6.2:rc4
linux	linux_kernel	6.2:rc5
linux	linux_kernel	6.2:rc6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.129-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.19-1 fixed
sid	6.12.20-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-allwinner-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-aws-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-aws-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-aws-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-aws-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-aws-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-aws-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	needs-triage

linux-azure

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage
trusty	needs-triage

linux-azure-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-azure-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-azure-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

oracular	dne
noble	dne
jammy	needs-triage
focal	ignored

linux-azure-fde-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-fde-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-azure-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-bluefield

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-gcp

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage

linux-gcp-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-gcp-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-gcp-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-gcp-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-gcp-fips

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gke

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gke-4.15

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gkeop-5.15

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gkeop-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	needs-triage

linux-hwe-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-hwe-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-hwe-edge

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-ibm-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-ibm-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-intel-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-intel-iotg-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-iot

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-kvm

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-lowlatency

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-lowlatency-hwe-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-lowlatency-hwe-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-lowlatency-hwe-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-lts-xenial

oracular	dne
noble	dne
jammy	dne
focal	dne
trusty	needs-triage

linux-nvidia

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-nvidia-lowlatency

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-nvidia-tegra

oracular	dne
noble	needs-triage
jammy	needs-triage
focal	dne

linux-nvidia-tegra-igx

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-oem

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.11

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oem-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oem-6.8

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-oracle

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-oracle-5.0

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-oracle-5.3

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-oracle-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-oracle-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-raspi

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-raspi-5.4

oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

linux-raspi-realtime

oracular	dne
noble	needs-triage
jammy	dne
focal	dne

linux-raspi2

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-realtime

oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	dne

linux-riscv

oracular	needs-triage
noble	needs-triage
jammy	ignored
focal	ignored

linux-riscv-5.11

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-riscv-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

oracular	dne
noble	dne
jammy	needs-triage
focal	dne

linux-starfive-5.19

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

oracular	dne
noble	dne
jammy	ignored
focal	dne

linux-xilinx-zynqmp

oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/96aaaf8666010a39430cecf8a65c7ce2908a030f

https://git.kernel.org/stable/c/edb5d0cf5525357652aff6eacd9850b8ced07143