{
    "dataType": "CVE_RECORD",
    "cveMetadata": {
        "cveId": "CVE-2024-35877",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-05-17T13:50:33.110Z",
        "datePublished": "2024-05-19T08:34:34.604Z",
        "dateUpdated": "2024-08-02T03:21:48.797Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:30:33.031Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios.  Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode.  We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include <stdio.h>\n #include <sys/mman.h>\n #include <unistd.h>\n #include <liburing.h>\n\n int main(void)\n {\n         struct io_uring_params p = {};\n         int ring_fd;\n         size_t size;\n         char *map;\n\n         ring_fd = io_uring_setup(1, &p);\n         if (ring_fd < 0) {\n                 perror(\"io_uring_setup\");\n                 return 1;\n         }\n         size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n         /* Map the submission queue ring MAP_PRIVATE */\n         map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n                    ring_fd, IORING_OFF_SQ_RING);\n         if (map == MAP_FAILED) {\n                 perror(\"mmap\");\n                 return 1;\n         }\n\n         /* We have at least one page. Let's COW it. */\n         *map = 0;\n         pause();\n         return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[  301.552930] ------------[ cut here ]------------\n[  301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[  301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[  301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[  301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[  301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[  301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[  301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[  301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[  301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[  301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[  301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[  301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[  301.564186] FS:  0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[  301.564773] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[  301.565725] PKRU: 55555554\n[  301.565944] Call Trace:\n[  301.566148]  <TASK>\n[  301.566325]  ? untrack_pfn+0xf4/0x100\n[  301.566618]  ? __warn+0x81/0x130\n[  301.566876]  ? untrack_pfn+0xf4/0x100\n[  3\n---truncated---"
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "arch/x86/mm/pat/memtype.c",
                        "mm/memory.c"
                    ],
                    "versions": [
                        {
                            "version": "5899329b1910",
                            "lessThan": "f18681daaec9",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "5899329b1910",
                            "lessThan": "09e6bb53217b",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "5899329b1910",
                            "lessThan": "c2b2430b48f3",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "5899329b1910",
                            "lessThan": "7cfee26d1950",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "5899329b1910",
                            "lessThan": "97e93367e827",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "5899329b1910",
                            "lessThan": "51b7841f3fe8",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "5899329b1910",
                            "lessThan": "1341e4b32e1f",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "5899329b1910",
                            "lessThan": "04c35ab3bdae",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "arch/x86/mm/pat/memtype.c",
                        "mm/memory.c"
                    ],
                    "versions": [
                        {
                            "version": "2.6.29",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "2.6.29",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "4.19.312",
                            "lessThanOrEqual": "4.19.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.4.274",
                            "lessThanOrEqual": "5.4.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.215",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.15.155",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.1.85",
                            "lessThanOrEqual": "6.1.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6.26",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.8.5",
                            "lessThanOrEqual": "6.8.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.9",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b"
                },
                {
                    "url": "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173"
                },
                {
                    "url": "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4"
                },
                {
                    "url": "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a"
                },
                {
                    "url": "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f"
                },
                {
                    "url": "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec"
                },
                {
                    "url": "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6"
                },
                {
                    "url": "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221"
                },
                {
                    "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
                },
                {
                    "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
                }
            ],
            "title": "x86/mm/pat: fix VM_PAT handling in COW mappings",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "timestamp": "2024-06-18T16:56:35.552255Z",
                                "id": "CVE-2024-35877",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "role": "CISA Coordinator",
                                "version": "2.0.3"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-06-18T16:56:48.083Z"
                }
            },
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-02T03:21:48.797Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    },
    "dataVersion": "5.1"
}