{"uuid": "3715662a-7eaa-462b-b89d-d8309e2fbd51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-5663", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/170", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: GHSA-58c3-gqj2-fvq8\n\ud83d\udd17 Aliases: CVE-2024-56673\n\ud83d\udd39 Details: In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: mm: Do not call pmd dtor on vmemmap page table teardown\n\nThe vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page\ntables are populated using pmd (page middle directory) hugetables.\nHowever, the pmd allocation is not using the generic mechanism used by\nthe VMA code (e.g. pmd_alloc()), or the RISC-V specific\ncreate_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table\ncode allocates a page, and calls vmemmap_set_pmd(). This results in\nthat the pmd ctor is *not* called, nor would it make sense to do so.\n\nNow, when tearing down a vmemmap page table pmd, the cleanup code\nwould unconditionally, and incorrectly call the pmd dtor, which\nresults in a crash (best case).\n\nThis issue was found when running the HMM selftests:\n\n | tools/testing/selftests/mm# ./test_hmm.sh smoke\n | ... # when unloading the test_hmm.ko module\n | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b\n | flags: 0x1000000000000000(node=0|zone=1)\n | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000\n | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)\n | ------------[ cut here ]------------\n | kernel BUG at include/linux/mm.h:3080!\n | Kernel BUG [#1]\n | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod\n | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2\n | Tainted: [W]=WARN\n | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024\n | epc : remove_pgd_mapping+0xbec/0x1070\n | ra : remove_pgd_mapping+0xbec/0x1070\n | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940\n | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04\n | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50\n | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008\n | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000\n | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8\n | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000\n | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000\n | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0\n | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00\n | t5 : ff60000080244000 t6 : ff20000000a73708\n | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003\n | [] remove_pgd_mapping+0xbec/0x1070\n | [] vmemmap_free+0x14/0x1e\n | [] section_deactivate+0x220/0x452\n | [] sparse_remove_section+0x4a/0x58\n | [] __remove_pages+0x7e/0xba\n | [] memunmap_pages+0x2bc/0x3fe\n | [] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]\n | [] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]\n | [] __riscv_sys_delete_module+0x15a/0x2a6\n | [] do_trap_ecall_u+0x1f2/0x266\n | [] _new_vmalloc_restore_context_a0+0xc6/0xd2\n | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597\n | ---[ end trace 0000000000000000 ]---\n | Kernel panic - not syncing: Fatal exception in interrupt\n\nAdd a check to avoid calling the pmd dtor, if the calling context is\nvmemmap_free().\n\ud83d\udd22 Severity: CVSS_V3: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\n\ud83d\uddd3\ufe0f Modified: 2025-01-06T15:30:59Z\n\ud83d\uddd3\ufe0f Published: 2024-12-27T15:31:56Z\n\ud83d\udd17 References:\n1. https://nvd.nist.gov/vuln/detail/CVE-2024-5663\n2. https://git.kernel.org/stable/c/21f1b85c8912262adf510e63614a114425eb10\n3. https://git.kernel.org/stable/c/344945806f2faf68be98bac02836c86f223aa9", "creation_timestamp": "2025-01-06T15:37:42.000000Z"}