CVE-2024-35993

{"id": "CVE-2024-35993", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-20T10:15:13.463", "references": [{"url": "https://git.kernel.org/stable/c/2431b5f2650dfc47ce782d1ca7b02d6b3916976f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d99e3140a4d33e26066183ff727d8f02f56bec64", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2431b5f2650dfc47ce782d1ca7b02d6b3916976f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/d99e3140a4d33e26066183ff727d8f02f56bec64", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: turn folio_test_hugetlb into a PageType\n\nThe current folio_test_hugetlb() can be fooled by a concurrent folio split\ninto returning true for a folio which has never belonged to hugetlbfs. \nThis can't happen if the caller holds a refcount on it, but we have a few\nplaces (memory-failure, compaction, procfs) which do not and should not\ntake a speculative reference.\n\nSince hugetlb pages do not use individual page mapcounts (they are always\nfully mapped and use the entire_mapcount field to record the number of\nmappings), the PageType field is available now that page_mapcount()\nignores the value in this field.\n\nIn compaction and with CONFIG_DEBUG_VM enabled, the current implementation\ncan result in an oops, as reported by Luis. This happens since 9c5ccf2db04b\n(\"mm: remove HUGETLB_PAGE_DTOR\") effectively added some VM_BUG_ON() checks\nin the PageHuge() testing path.\n\n[willy@infradead.org: update vmcoreinfo]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: convierte folio_test_hugetlb en un PageType. El folio_test_hugetlb() actual puede ser enga\u00f1ado por una divisi\u00f3n de folio concurrente y devuelve verdadero para un folio que nunca ha pertenecido a hugetlbfs. Esto no puede suceder si la persona que llama tiene un recuento sobre \u00e9l, pero tenemos algunos lugares (fallo de memoria, compactaci\u00f3n, procfs) que no toman ni deben tomar una referencia especulativa. Dado que las p\u00e1ginas de Hugetlb no usan recuentos de mapas de p\u00e1ginas individuales (siempre est\u00e1n completamente asignadas y usan el campo Whole_mapcount para registrar el n\u00famero de asignaciones), el campo PageType est\u00e1 disponible ahora que page_mapcount() ignora el valor en este campo. En compactaci\u00f3n y con CONFIG_DEBUG_VM habilitado, la implementaci\u00f3n actual puede resultar en un error, seg\u00fan lo informado por Luis. Esto sucede desde que 9c5ccf2db04b (\"mm: eliminar HUGETLB_PAGE_DTOR\") agreg\u00f3 efectivamente algunas comprobaciones de VM_BUG_ON() en la ruta de prueba de PageHuge(). [willy@infradead.org: actualizar vmcoreinfo] Enlace: https://lkml.kernel.org/r/ZgGZUvsdhaT1Va-T@casper.infradead.org"}], "lastModified": "2025-09-24T18:23:18.753", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4D9BC34-65C4-4ACE-ABEF-1029C09F30B3", "versionEndExcluding": "6.6.30", "versionStartIncluding": "6.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F9041E5-8358-4EF7-8F98-B812EDE49612", "versionEndExcluding": "6.8.9", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52048DDA-FC5A-4363-95A0-A6357B4D7F8C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A06B2CCF-3F43-4FA9-8773-C83C3F5764B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F850DCEC-E08B-4317-A33B-D2DCF39F601B"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}