Bug 2320460 (CVE-2024-49964) - CVE-2024-49964 kernel: mm/hugetlb: fix memfd_pin_folios free_huge_pages leak
Summary: CVE-2024-49964 kernel: mm/hugetlb: fix memfd_pin_folios free_huge_pages leak
Keywords:
Status: NEW
Alias: CVE-2024-49964
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2320809
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-21 19:03 UTC by OSIDB Bzimport
Modified: 2024-10-21 23:21 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-21 19:03:29 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix memfd_pin_folios free_huge_pages leak

memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages
if the pages were not already faulted in, because the folio refcount for
pages created by memfd_alloc_folio never goes to 0.  memfd_pin_folios
needs another folio_put to undo the folio_try_get below:

memfd_alloc_folio()
  alloc_hugetlb_folio_nodemask()
    dequeue_hugetlb_folio_nodemask()
      dequeue_hugetlb_folio_node_exact()
        folio_ref_unfreeze(folio, 1);    ; adds 1 refcount
  folio_try_get()                        ; adds 1 refcount
  hugetlb_add_to_page_cache()            ; adds 512 refcount (on x86)

With the fix, after memfd_pin_folios + unpin_folios, the refcount for the
(unfaulted) page is 512, which is correct, as the refcount for a faulted
unpinned page is 513.
Comment 1 Robb Gatica 2024-10-21 22:29:59 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102132-CVE-2024-49964-e06e@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.