CVE-2024-53219

{"id": "CVE-2024-53219", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-12-27T14:15:29.963", "references": [{"url": "https://git.kernel.org/stable/c/2bc07714dc955a91d2923a440ea02c3cb3376b10", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/41748675c0bf252b3c5f600a95830f0936d366c1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9a8fde56d4b6d51930936ed50f6370a9097328d1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: use pages instead of pointer for kernel direct IO\n\nWhen trying to insert a 10MB kernel module kept in a virtio-fs with cache\ndisabled, the following warning was reported:\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ......\n Modules linked in:\n CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:__alloc_pages+0x2bf/0x380\n ......\n Call Trace:\n <TASK>\n ? __warn+0x8e/0x150\n ? __alloc_pages+0x2bf/0x380\n __kmalloc_large_node+0x86/0x160\n __kmalloc+0x33c/0x480\n virtio_fs_enqueue_req+0x240/0x6d0\n virtio_fs_wake_pending_and_unlock+0x7f/0x190\n queue_request_and_unlock+0x55/0x60\n fuse_simple_request+0x152/0x2b0\n fuse_direct_io+0x5d2/0x8c0\n fuse_file_read_iter+0x121/0x160\n __kernel_read+0x151/0x2d0\n kernel_read+0x45/0x50\n kernel_read_file+0x1a9/0x2a0\n init_module_from_file+0x6a/0xe0\n idempotent_init_module+0x175/0x230\n __x64_sys_finit_module+0x5d/0xb0\n x64_sys_call+0x1c3/0x9e0\n do_syscall_64+0x3d/0xc0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n ......\n </TASK>\n ---[ end trace 0000000000000000 ]---\n\nThe warning is triggered as follows:\n\n1) syscall finit_module() handles the module insertion and it invokes\nkernel_read_file() to read the content of the module first.\n\n2) kernel_read_file() allocates a 10MB buffer by using vmalloc() and\npasses it to kernel_read(). kernel_read() constructs a kvec iter by\nusing iov_iter_kvec() and passes it to fuse_file_read_iter().\n\n3) virtio-fs disables the cache, so fuse_file_read_iter() invokes\nfuse_direct_io(). As for now, the maximal read size for kvec iter is\nonly limited by fc->max_read. For virtio-fs, max_read is UINT_MAX, so\nfuse_direct_io() doesn't split the 10MB buffer. It saves the address and\nthe size of the 10MB-sized buffer in out_args[0] of a fuse request and\npasses the fuse request to virtio_fs_wake_pending_and_unlock().\n\n4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() to\nqueue the request. Because virtiofs need DMA-able address, so\nvirtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer for\nall fuse args, copies these args into the bounce buffer and passed the\nphysical address of the bounce buffer to virtiofsd. The total length of\nthese fuse args for the passed fuse request is about 10MB, so\ncopy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter and\nit triggers the warning in __alloc_pages():\n\n\tif (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp))\n\t\treturn NULL;\n\n5) virtio_fs_enqueue_req() will retry the memory allocation in a\nkworker, but it won't help, because kmalloc() will always return NULL\ndue to the abnormal size and finit_module() will hang forever.\n\nA feasible solution is to limit the value of max_read for virtio-fs, so\nthe length passed to kmalloc() will be limited. However it will affect\nthe maximal read size for normal read. And for virtio-fs write initiated\nfrom kernel, it has the similar problem but now there is no way to limit\nfc->max_write in kernel.\n\nSo instead of limiting both the values of max_read and max_write in\nkernel, introducing use_pages_for_kvec_io in fuse_conn and setting it as\ntrue in virtiofs. When use_pages_for_kvec_io is enabled, fuse will use\npages instead of pointer to pass the KVEC_IO data.\n\nAfter switching to pages for KVEC_IO data, these pages will be used for\nDMA through virtio-fs. If these pages are backed by vmalloc(),\n{flush|invalidate}_kernel_vmap_range() are necessary to flush or\ninvalidate the cache before the DMA operation. So add two new fields in\nfuse_args_pages to record the base address of vmalloc area and the\ncondition indicating whether invalidation is needed. Perform the flush\nin fuse_get_user_pages() for write operations and the invalidation in\nfuse_release_user_pages() for read operations.\n\nIt may seem necessary to introduce another fie\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtiofs: usar p\u00e1ginas en lugar de puntero para E/S directa del kernel Al intentar insertar un m\u00f3dulo de kernel de 10 MB guardado en un virtio-fs con la cach\u00e9 deshabilitada, se inform\u00f3 la siguiente advertencia: ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 1 PID: 404 en mm/page_alloc.c:4551 ...... M\u00f3dulos vinculados: CPU: 1 PID: 404 Comm: insmod No contaminado 6.9.0-rc5+ #123 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:__alloc_pages+0x2bf/0x380 ...... Rastreo de llamadas: ? __warn+0x8e/0x150 ? __alloc_pages+0x2bf/0x380 __kmalloc_large_node+0x86/0x160 __kmalloc+0x33c/0x480 virtio_fs_enqueue_req+0x240/0x6d0 virtio_fs_wake_pending_and_unlock+0x7f/0x190 queue_request_and_unlock+0x55/0x60 fuse_simple_request+0x152/0x2b0 fuse_direct_io+0x5d2/0x8c0 fuse_file_read_iter+0x121/0x160 __kernel_read+0x151/0x2d0 kernel_read+0x45/0x50 kernel_read_file+0x1a9/0x2a0 init_module_from_file+0x6a/0xe0 idempotent_init_module+0x175/0x230 __x64_sys_finit_module+0x5d/0xb0 x64_sys_call+0x1c3/0x9e0 do_syscall_64+0x3d/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ...... ---[ end trace 000000000000000 ]--- La advertencia se activa de la siguiente manera: 1) syscall finit_module() gestiona la inserci\u00f3n del m\u00f3dulo e invoca kernel_read_file() para leer primero el contenido del m\u00f3dulo. 2) kernel_read_file() asigna un b\u00fafer de 10 MB mediante vmalloc() y lo pasa a kernel_read(). kernel_read() construye un iter kvec utilizando iov_iter_kvec() y lo pasa a fuse_file_read_iter(). 3) virtio-fs desactiva la cach\u00e9, por lo que fuse_file_read_iter() invoca fuse_direct_io(). Por ahora, el tama\u00f1o m\u00e1ximo de lectura para el iter kvec solo est\u00e1 limitado por fc-&gt;max_read. Para virtio-fs, max_read es UINT_MAX, por lo que fuse_direct_io() no divide el b\u00fafer de 10 MB. Guarda la direcci\u00f3n y el tama\u00f1o del b\u00fafer de 10 MB en out_args[0] de una solicitud de fuse y pasa la solicitud de fuse a virtio_fs_wake_pending_and_unlock(). 4) virtio_fs_wake_pending_and_unlock() utiliza virtio_fs_enqueue_req() para poner en cola la solicitud. Debido a que los virtiofs necesitan una direcci\u00f3n que pueda ser DMA, virtio_fs_enqueue_req() usa kmalloc() para asignar un buffer de rebote para todos los argumentos de fusi\u00f3n, copia estos argumentos en el buffer de rebote y pasa la direcci\u00f3n f\u00edsica del buffer de rebote a virtiofsd. La longitud total de estos argumentos de fusi\u00f3n para la solicitud de fusi\u00f3n pasada es de aproximadamente 10 MB, por lo que copy_args_to_argbuf() invoca kmalloc() con un par\u00e1metro de tama\u00f1o de 10 MB y activa la advertencia en __alloc_pages(): if (WARN_ON_ONCE_GFP(order &gt; MAX_PAGE_ORDER, gfp)) return NULL; 5) virtio_fs_enqueue_req() volver\u00e1 a intentar la asignaci\u00f3n de memoria en un kworker, pero no ayudar\u00e1, porque kmalloc() siempre devolver\u00e1 NULL debido al tama\u00f1o anormal y finit_module() se colgar\u00e1 para siempre. Una soluci\u00f3n factible es limitar el valor de max_read para virtio-fs, por lo que la longitud pasada a kmalloc() ser\u00e1 limitada. Sin embargo, afectar\u00e1 el tama\u00f1o m\u00e1ximo de lectura para la lectura normal. Y para la escritura de virtio-fs iniciada desde el kernel, tiene el mismo problema pero ahora no hay forma de limitar fc-&gt;max_write en el kernel. Entonces, en lugar de limitar los valores de max_read y max_write en el kernel, se introduce use_pages_for_kvec_io en fuse_conn y se establece como verdadero en virtiofs. Cuando use_pages_for_kvec_io est\u00e1 habilitado, fuse usar\u00e1 p\u00e1ginas en lugar de punteros para pasar los datos de KVEC_IO. Despu\u00e9s de cambiar a p\u00e1ginas para los datos de KVEC_IO, estas p\u00e1ginas se usar\u00e1n para DMA a trav\u00e9s de virtio-fs. Si estas p\u00e1ginas est\u00e1n respaldadas por vmalloc(), {flush|invalidate}_kernel_vmap_range() son necesarias para vaciar o invalidar la cach\u00e9 antes de la operaci\u00f3n de DMA. Por lo tanto, agregue dos nuevos campos en fuse_args_pages para registrar la direcci\u00f3n base del \u00e1rea vmalloc y la condici\u00f3n que indica si se necesita invalidaci\u00f3n. --truncated---"}], "lastModified": "2025-10-01T20:17:21.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AB6FFC8-FD78-423C-B526-DDDEAE21137A", "versionEndExcluding": "6.11.11", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}