Bug 2337151 (CVE-2024-57881) - CVE-2024-57881 kernel: mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy()
Summary: CVE-2024-57881 kernel: mm/page_alloc: don't call pfn_to_page() on possibly no...
Keywords:
Status: NEW
Alias: CVE-2024-57881
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-01-11 16:01 UTC by OSIDB Bzimport
Modified: 2025-02-04 15:59 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-01-11 16:01:13 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm/page_alloc: don't call pfn_to_page() on possibly non-existent PFN in split_large_buddy()

In split_large_buddy(), we might call pfn_to_page() on a PFN that might
not exist.  In corner cases, such as when freeing the highest pageblock in
the last memory section, this could result with CONFIG_SPARSEMEM &&
!CONFIG_SPARSEMEM_EXTREME in __pfn_to_section() returning NULL and and
__section_mem_map_addr() dereferencing that NULL pointer.

Let's fix it, and avoid doing a pfn_to_page() call for the first
iteration, where we already have the page.

So far this was found by code inspection, but let's just CC stable as the
fix is easy.
Comment 1 Avinash Hanwate 2025-01-13 05:23:22 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025011146-CVE-2024-57881-7516@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.