CVE-2024-36000
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix missing hugetlb_lock for resv uncharge There is a recent report on UFFDIO_COPY over hugetlb: https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/ 350: lockdep_assert_held(&hugetlb_lock); Should be an issue in hugetlb but triggered in an userfault context, where it goes into the unlikely path where two threads modifying the resv map together. Mike has a fix in that path for resv uncharge but it looks like the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd() will update the cgroup pointer, so it requires to be called with the lock held.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.01%• Percentile: 1%
Techniques & Countermeasures
- CWE-617•Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Affected Systems
- linux•linux
≥ 79aa925bf239c234be8586780e482872dc4690dd, < 4c806333efea1000a2a9620926f560ad2e1ca7cc | ≥ 79aa925bf239c234be8586780e482872dc4690dd, < f6c5d21db16a0910152ec8aa9d5a7aed72694505 | ≥ 79aa925bf239c234be8586780e482872dc4690dd, < 538faabf31e9c53d8c870d114846fda958a0de10 | ≥ 79aa925bf239c234be8586780e482872dc4690dd, < b76b46902c2d0395488c8412e1116c2486cdfcb2 | f87004c0b2bdf0f1066b88795d8e6c1dfad6cea0 | ≥ 5.9.7, < 5.10 | 5.10
- linux•linux_kernel
≥ 5.9.7, < 5.10 | ≥ 5.10.1, < 6.1.91 | ≥ 6.2, < 6.6.30 | ≥ 6.7, < 6.8.9 | 5.10 | 5.10:rc3 | 5.10:rc4 | 5.10:rc5 | 5.10:rc6 | 5.10:rc7 | 6.9:rc1 | 6.9:rc2 | 6.9:rc3 | 6.9:rc4 | 6.9:rc5