CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
10.3%
In the Linux kernel, the following vulnerability has been resolved: mm:
swap: fix race between free_swap_and_cache() and swapoff() There was
previously a theoretical window where swapoff() could run and teardown a
swap_info_struct while a call to free_swap_and_cache() was running in
another thread. This could cause, amongst other bad possibilities,
swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access
the freed memory for swap_map. This is a theoretical problem and I haven’t
been able to provoke it from a test case. But there has been agreement
based on code review that this is possible (see link below). Fix it by
using get_swap_device()/put_swap_device(), which will stall swapoff().
There was an extra check in _swap_info_get() to confirm that the swap entry
was not free. This isn’t present in get_swap_device() because it doesn’t
make sense in general due to the race between getting the reference and
swapoff. So I’ve added an equivalent check directly in
free_swap_and_cache(). Details of how to provoke one possible issue (thanks
to David Hildenbrand for deriving this): --8<----- __swap_entry_free()
might be the last user and result in “count == SWAP_HAS_CACHE”.
swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So
the question is: could someone reclaim the folio and turn
si->inuse_pages==0, before we completed swap_page_trans_huge_swapped().
Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are
still references by swap entries. Process 1 still references subpage 0 via
swap entry. Process 2 still references subpage 1 via swap entry. Process 1
quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then,
preempted in the hypervisor etc.] Process 2 quits. Calls
free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead,
passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap().
__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->
put_swap_folio()->free_swap_slot()->swapcache_free_entries()->
swap_entry_free()->swap_range_free()-> … WRITE_ONCE(si->inuse_pages,
si->inuse_pages - nr_entries); What stops swapoff to succeed after process
2 reclaimed the swap cache but before process1 finished its call to
swap_page_trans_huge_swapped()? --8<-----
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-116.126 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1065.71 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1009.9 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1065.71~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1068.77 | UNKNOWN |
git.kernel.org/linus/82b1c07a0af603e3c47b906c8e991dc96f01688e (6.9-rc1)
git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a
git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a
git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e
git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b
git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39
git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e
git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d
launchpad.net/bugs/cve/CVE-2024-26960
nvd.nist.gov/vuln/detail/CVE-2024-26960
security-tracker.debian.org/tracker/CVE-2024-26960
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
ubuntu.com/security/notices/USN-6878-1
ubuntu.com/security/notices/USN-6898-1
ubuntu.com/security/notices/USN-6898-2
ubuntu.com/security/notices/USN-6898-3
ubuntu.com/security/notices/USN-6898-4
ubuntu.com/security/notices/USN-6917-1
ubuntu.com/security/notices/USN-6919-1
www.cve.org/CVERecord?id=CVE-2024-26960