Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0The __vmap_pages_range_noflush() assumes its argument pages** containspages with the same page shift. However, since commit e9c3cda4d86e ("mm,vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes__GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocationfailed for high order, the pages** may contain two different page shifts(high order and order-0). This could lead __vmap_pages_range_noflush() toperform incorrect mappings, potentially resulting in memory corruption.Users might encounter this as follows (vmap_allow_huge = true, 2M is forPMD_SIZE):kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happensWe can remove the fallback code because if a high-order allocation fails,__vmalloc_node_range_noprof() will retry with order-0. Therefore, it isunnecessary to fallback to order-0 here. Therefore, fix this by removingthe fallback code.
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds