{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: x86/mm/pat: fix VM_PAT handling in COW mappings",
    "id" : "2281720",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2281720"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nx86/mm/pat: fix VM_PAT handling in COW mappings\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios.  Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode.  We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n<--- C reproducer --->\n#include <stdio.h>\n#include <sys/mman.h>\n#include <unistd.h>\n#include <liburing.h>\nint main(void)\n{\nstruct io_uring_params p = {};\nint ring_fd;\nsize_t size;\nchar *map;\nring_fd = io_uring_setup(1, &p);\nif (ring_fd < 0) {\nperror(\"io_uring_setup\");\nreturn 1;\n}\nsize = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n/* Map the submission queue ring MAP_PRIVATE */\nmap = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\nring_fd, IORING_OFF_SQ_RING);\nif (map == MAP_FAILED) {\nperror(\"mmap\");\nreturn 1;\n}\n/* We have at least one page. Let's COW it. */\n*map = 0;\npause();\nreturn 0;\n}\n<--- C reproducer --->\nOn a system with 16 GiB RAM and swap configured:\n# ./iouring &\n# memhog 16G\n# killall iouring\n[  301.552930] ------------[ cut here ]------------\n[  301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[  301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[  301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[  301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[  301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[  301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[  301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[  301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[  301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[  301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[  301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[  301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[  301.564186] FS:  0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[  301.564773] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[  301.565725] PKRU: 55555554\n[  301.565944] Call Trace:\n[  301.566148]  <TASK>\n[  301.566325]  ? untrack_pfn+0xf4/0x100\n[  301.566618]  ? __warn+0x81/0x130\n[  301.566876]  ? untrack_pfn+0xf4/0x100\n[  3\n---truncated---", "CVE-2024-35877 pertains to a flaw in the Linux kernel's handling of Page Attribute Table (PAT) settings during Copy-On-Write (COW) operations. When a write operation triggers a COW event, the kernel may replace the original page table entries (PTEs) with anonymous folios. This replacement disrupts the kernel's ability to accurately retrieve the correct page frame number (PFN) and cache mode using the follow_phys() function. Consequently, this mismanagement can lead to memory leaks or system instability.\nDuring COW operations, the kernel's PAT handling may incorrectly replace PTEs, leading to failures in functions like untrack_pfn() and track_pfn_copy(). This mismanagement can result in improper memory tracking and potential leaks.\nSystems may experience memory leaks or instability due to the kernel's inability to correctly manage memory attributes during COW events." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7001",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.22.1.rt7.363.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:7000",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.22.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-05-14T00:00:00Z",
    "advisory" : "RHSA-2025:7526",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.68.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35877\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35877\nhttps://lore.kernel.org/linux-cve-announce/2024051943-CVE-2024-35877-39e6@gregkh/T" ],
  "name" : "CVE-2024-35877",
  "csaw" : false
}