x86/mm/pat: fix VM_PAT handling in COW mappings

Summary

CVE	CVE-2024-35877
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2024-05-19 09:15:08 UTC
Updated	2026-05-12 12:16:38 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: fix VM_PAT handling in COW mappings PAT handling won't do the right thing in COW mappings: the first PTE (or, in fact, all PTEs) can be replaced during write faults to point at anon folios. Reliably recovering the correct PFN and cachemode using follow_phys() from PTEs will not work in COW mappings. Using follow_phys(), we might just get the address+protection of the anon folio (which is very wrong), or fail on swap/nonswap entries, failing follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and track_pfn_copy(), not properly calling free_pfn_range(). In free_pfn_range(), we either wouldn't call memtype_free() or would call it with the wrong range, possibly leaking memory. To fix that, let's update follow_phys() to refuse returning anon folios, and fallback to using the stored PFN inside vma->vm_pgoff for COW mappings if we run into that. We will now properly handle untrack_pfn() with COW mappings, where we don't need the cachemode. We'll have to fail fork()->track_pfn_copy() if the first page was replaced by an anon folio, though: we'd have to store the cachemode in the VMA to make this work, likely growing the VMA size. For now, lets keep it simple and let track_pfn_copy() just fail in that case: it would have failed in the past with swap/nonswap entries already, and it would have done the wrong thing with anon folios. Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn(): <--- C reproducer ---> #include <stdio.h> #include <sys/mman.h> #include <unistd.h> #include <liburing.h> int main(void) { struct io_uring_params p = {}; int ring_fd; size_t size; char map; ring_fd = io_uring_setup(1, &p); if (ring_fd < 0) { perror("io_uring_setup"); return 1; } size = p.sq_off.array + p.sq_entries sizeof(unsigned); /* Map the submission queue ring MAP_PRIVATE / map = mmap(0, size, PROT_READ \| PROT_WRITE, MAP_PRIVATE, ring_fd, IORING_OFF_SQ_RING); if (map == MAP_FAILED) { perror("mmap"); return 1; } / We have at least one page. Let's COW it. / map = 0; pause(); return 0; } <--- C reproducer ---> On a system with 16 GiB RAM and swap configured: # ./iouring & # memhog 16G # killall iouring [ 301.552930] ------------[ cut here ]------------ [ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100 [ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g [ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1 [ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4 [ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100 [ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000 [ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282 [ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047 [ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200 [ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000 [ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000 [ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000 [ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000 [ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0 [ 301.565725] PKRU: 55555554 [ 301.565944] Call Trace: [ 301.566148] <TASK> [ 301.566325] ? untrack_pfn+0xf4/0x100 [ 301.566618] ? __warn+0x81/0x130 [ 301.566876] ? untrack_pfn+0xf4/0x100 [ 3 ---truncated---

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-401 | CWE-noinfo Not enough information

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 f18681daaec9665a15c5e7e0f591aad5d0ac622b git	Not specified
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 09e6bb53217bf388a0d2fd7fb21e74ab9dffc173 git	Not specified
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4 git	Not specified
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 7cfee26d1950250b14c5cb0a37b142f3fcc6396a git	Not specified
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 97e93367e82752e475a33839a80b33bdbef1209f git	Not specified
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 51b7841f3fe84606ec0bd8da859d22e05e5419ec git	Not specified
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6 git	Not specified
CNA	Linux	Linux	affected 5899329b19100c0b82dc78e9b21ed8b920c9ffb3 04c35ab3bdae7fefbd7c7a7355f29fa03a035221 git	Not specified
CNA	Linux	Linux	affected 2.6.29	Not specified
CNA	Linux	Linux	unaffected 2.6.29 semver	Not specified
CNA	Linux	Linux	unaffected 4.19.312 4.19.* semver	Not specified
CNA	Linux	Linux	unaffected 5.4.274 5.4.* semver	Not specified
CNA	Linux	Linux	unaffected 5.10.215 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.155 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.85 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.26 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.8.5 6.8.* semver	Not specified
CNA	Linux	Linux	unaffected 6.9 * original_commit_for_fix	Not specified
ADP	Siemens	SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem	affected * custom	Not specified

References

Reference	Source	Link	Tags
lists.debian.org/debian-lts-announce/2024/06/msg00017.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-265688.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2024/06/msg00020.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Third Party Advisory
git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221	af854a3a-2127-422b-91ae-364da2661108	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.