CVE-2023-52490
- ULN >
- Oracle Linux CVE repository >
- CVE-2023-52490
CVE Details
| Release Date: | 2024-02-29 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nmm: migrate: fix getting incorrect page mapping during page migration\nWhen running stress-ng testing, we found below kernel crash after a few hours:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\npc : dentry_name+0xd8/0x224\nlr : pointer+0x22c/0x370\nsp : ffff800025f134c0\n......\nCall trace:\ndentry_name+0xd8/0x224\npointer+0x22c/0x370\nvsnprintf+0x1ec/0x730\nvscnprintf+0x2c/0x60\nvprintk_store+0x70/0x234\nvprintk_emit+0xe0/0x24c\nvprintk_default+0x3c/0x44\nvprintk_func+0x84/0x2d0\nprintk+0x64/0x88\n__dump_page+0x52c/0x530\ndump_page+0x14/0x20\nset_migratetype_isolate+0x110/0x224\nstart_isolate_page_range+0xc4/0x20c\noffline_pages+0x124/0x474\nmemory_block_offline+0x44/0xf4\nmemory_subsys_offline+0x3c/0x70\ndevice_offline+0xf0/0x120\n......\nAfter analyzing the vmcore, I found this issue is caused by page migration.\nThe scenario is that, one thread is doing page migration, and we will use the\ntarget page's ->mapping field to save 'anon_vma' pointer between page unmap and\npage move, and now the target page is locked and refcount is 1.\nCurrently, there is another stress-ng thread performing memory hotplug,\nattempting to offline the target page that is being migrated. It discovers that\nthe refcount of this target page is 1, preventing the offline operation, thus\nproceeding to dump the page. However, page_mapping() of the target page may\nreturn an incorrect file mapping to crash the system in dump_mapping(), since\nthe target page->mapping only saves 'anon_vma' pointer without setting\nPAGE_MAPPING_ANON flag.\nThere are seveval ways to fix this issue:\n(1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving\n'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target\npage has not built mappings yet.\n(2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing\nthe system, however, there are still some PFN walkers that call page_mapping()\nwithout holding the page lock, such as compaction.\n(3) Using target page->private field to save the 'anon_vma' pointer and 2 bits\npage state, just as page->mapping records an anonymous page, which can remove\nthe page_mapping() impact for PFN walkers and also seems a simple way.\nSo I choose option 3 to fix this issue, and this can also fix other potential\nissues for PFN walkers, such as compaction.
See more information about CVE-2023-52490 from MITRE CVE dictionary and NIST NVD
CVSS Scoring
NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.
| Base Score: | 5.5 | CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector: | Local network | Attack Complexity: | Low |
| Privileges Required: | Low | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | None |
| Integrity Impact: | None | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 9 (kernel) | ELSA-2024-9315 | 2024-11-14 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
