Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:mm/huge_memory: fix dereferencing invalid pmd migration entryWhen migrating a THP, concurrent access to the PMD migration entry duringa deferred split scan can lead to an invalid address access, asillustrated below. To prevent this invalid access, it is necessary tocheck the PMD migration entry and return early. In this context, there isno need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify theequality of the target folio. Since the PMD migration entry is locked, itcannot be served as the target.Mailing list discussion and explanation from Hugh Dickins: "An anon_vmalookup points to a location which may contain the folio of interest, butmight instead contain another folio: and weeding out those other folios isprecisely what the "folio != pmd_folio((*pmd)" check (and the "risk ofreplacing the wrong folio" comment a few lines above it) is for."BUG: unable to handle page fault for address: ffffea60001db008CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONEHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60Call Trace:
No PoCs from references.
- https://github.com/w4zu/Debian_security