Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:mm: avoid leaving partial pfn mappings around in error caseAs Jann points out, PFN mappings are special, because unlike normalmemory mappings, there is no lifetime information associated with themapping - it is just a raw mapping of PFNs with no reference counting ofa 'struct page'.That's all very much intentional, but it does mean that it's easy tomess up the cleanup in case of errors. Yes, a failed mmap() will alwayseventually clean up any partial mappings, but without any explicitlifetime in the page table mapping itself, it's very easy to do theerror handling in the wrong order.In particular, it's easy to mistakenly free the physical backing storebefore the page tables are actually cleaned up and (temporarily) havestale dangling PTE entries.To make this situation less error-prone, just make sure that any partialpfn mapping is torn down early, before any other error handling.
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/w4zu/Debian_security