CVE-2024-40914

CVE Details

Release Date:

2024-07-12

Description

In the Linux kernel, the following vulnerability has been resolved:\nmm/huge_memory: don't unpoison huge_zero_folio\nWhen I did memory failure tests recently, below panic occurs:\nkernel BUG at include/linux/mm.h:1135!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14\nRIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\nRSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\nRAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\nRBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\nR10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\nFS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\nCall Trace:\n\ndo_shrink_slab+0x14f/0x6a0\nshrink_slab+0xca/0x8c0\nshrink_node+0x2d0/0x7d0\nbalance_pgdat+0x33a/0x720\nkswapd+0x1f3/0x410\nkthread+0xd5/0x100\nret_from_fork+0x2f/0x50\nret_from_fork_asm+0x1a/0x30\n\nModules linked in: mce_inject hwpoison_inject\n---[ end trace 0000000000000000 ]---\nRIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0\nRSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246\nRAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8\nRDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0\nRBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492\nR10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00\nFS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0\nThe root cause is that HWPoison flag will be set for huge_zero_folio\nwithout increasing the folio refcnt. But then unpoison_memory() will\ndecrease the folio refcnt unexpectedly as it appears like a successfully\nhwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when\nreleasing huge_zero_folio.\nSkip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue. \nWe're not prepared to unpoison huge_zero_folio yet.

See more information about CVE-2024-40914 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	4.7	CVSS Vector:	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	High
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12618	2024-09-12
Oracle Linux version 9 (kernel)	ELSA-2024-5928	2024-08-28
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12618	2024-09-12