CVE-2024-35877: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: fix VM_PAT handling in COW mappings PAT handling won't do the right thing in COW mappings: the first PTE (or, in fact, all PTEs) can be replaced during write faults to point at anon folios. Reliably recovering the correct PFN and cachemode using follow_phys() from PTEs will not work in COW mappings. Using follow_phys(), we might just get the address+protection of the anon folio (which is very wrong), or fail on swap/nonswap entries, failing follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and track_pfn_copy(), not properly calling free_pfn_range(). In free_pfn_range(), we either wouldn't call memtype_free() or would call it with the wrong range, possibly leaking memory. To fix that, let's update follow_phys() to refuse returning anon folios, and fallback to using the stored PFN inside vma->vm_pgoff for COW mappings if we run into that. We will now properly handle untrack_pfn() with COW mappings, where we don't need the cachemode. We'll have to fail fork()->track_pfn_copy() if the first page was replaced by an anon folio, though: we'd have to store the cachemode in the VMA to make this work, likely growing the VMA size. For now, lets keep it simple and let track_pfn_copy() just fail in that case: it would have failed in the past with swap/nonswap entries already, and it would have done the wrong thing with anon folios. Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn(): <--- C reproducer ---> #include <stdio.h> #include <sys/mman.h> #include <unistd.h> #include <liburing.h> int main(void) { struct io_uring_params p = {}; int ring_fd; size_t size; char *map; ring_fd = io_uring_setup(1, &p); if (ring_fd < 0) { perror("io_uring_setup"); return 1; } size = p.sq_off.array + p.sq_entries * sizeof(unsigned); /* Map the submission queue ring MAP_PRIVATE */ map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE, ring_fd, IORING_OFF_SQ_RING); if (map == MAP_FAILED) { perror("mmap"); return 1; } /* We have at least one page. Let's COW it. */ *map = 0; pause(); return 0; } <--- C reproducer ---> On a system with 16 GiB RAM and swap configured: # ./iouring & # memhog 16G # killall iouring [ 301.552930] ------------[ cut here ]------------ [ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100 [ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g [ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1 [ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4 [ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100 [ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000 [ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282 [ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047 [ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200 [ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000 [ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000 [ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000 [ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000 [ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0 [ 301.565725] PKRU: 55555554 [ 301.565944] Call Trace: [ 301.566148] <TASK> [ 301.566325] ? untrack_pfn+0xf4/0x100 [ 301.566618] ? __warn+0x81/0x130 [ 301.566876] ? untrack_pfn+0xf4/0x100 [ 3 ---truncated---
AI Analysis
Technical Summary
CVE-2024-35877 is a vulnerability in the Linux kernel's handling of Page Attribute Table (PAT) entries in Copy-On-Write (COW) memory mappings on x86 architectures. The issue arises because the kernel's VM_PAT handling does not correctly manage PAT entries when page table entries (PTEs) are replaced during write faults with anonymous (anon) folios. Specifically, the function follow_phys(), which is used to retrieve the physical frame number (PFN) and cache mode from PTEs, fails to correctly handle anon folios in COW mappings. This can lead to incorrect physical address and cache mode retrieval or failure in swap/nonswap entries, triggering kernel warnings (WARN_ON_ONCE) in untrack_pfn() and track_pfn_copy(). The improper handling can cause memory leaks due to either memtype_free() not being called or being called with incorrect ranges during free_pfn_range(). The patch updates follow_phys() to refuse returning anon folios and instead fallback to using the stored PFN in the virtual memory area's (VMA) vm_pgoff field for COW mappings. It also adjusts untrack_pfn() to properly handle COW mappings without needing the cache mode. However, track_pfn_copy() will fail if the first page was replaced by an anon folio, as storing cache mode in the VMA would require increasing its size, which is not implemented yet. A simple C reproducer demonstrates triggering the WARN_ON_ONCE() warning by setting up an io_uring submission queue ring with MAP_PRIVATE mapping and forcing a COW page fault. The vulnerability affects Linux kernel versions prior to the fix and can cause kernel warnings and potential memory leaks under specific memory pressure conditions (e.g., large RAM and swap usage). No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, affecting kernel memory management and page caching mechanisms.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to systems running vulnerable Linux kernel versions, especially those using io_uring or other advanced memory management features that rely on COW mappings. The impact includes potential kernel warnings, memory leaks, and instability under high memory pressure scenarios. While it does not directly enable privilege escalation or remote code execution, the memory leaks and kernel warnings could degrade system performance, cause unexpected crashes, or lead to denial of service conditions. Organizations with critical Linux infrastructure, such as servers, cloud environments, and embedded systems, could experience reduced reliability and increased maintenance overhead. Given the kernel-level nature of the issue, it could affect a wide range of Linux distributions popular in Europe, impacting data centers, cloud providers, and enterprises relying on Linux-based systems.
Mitigation Recommendations
1. Apply the official Linux kernel patch that fixes the VM_PAT handling in COW mappings as soon as it is available from your Linux distribution vendor. 2. Upgrade to a Linux kernel version that includes the fix for CVE-2024-35877. 3. Monitor kernel logs for WARN_ON_ONCE() messages related to untrack_pfn() to detect potential exploitation or triggering of the vulnerability. 4. Limit the use of io_uring or other features that heavily rely on COW mappings on vulnerable kernels until patched. 5. Implement memory pressure monitoring and controls to avoid conditions that exacerbate the vulnerability, such as excessive swapping or memory hogging. 6. Coordinate with Linux distribution maintainers to ensure timely deployment of patches in enterprise environments. 7. For critical systems, consider kernel live patching solutions if available to minimize downtime during patch deployment.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain, Belgium
CVE-2024-35877: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: x86/mm/pat: fix VM_PAT handling in COW mappings PAT handling won't do the right thing in COW mappings: the first PTE (or, in fact, all PTEs) can be replaced during write faults to point at anon folios. Reliably recovering the correct PFN and cachemode using follow_phys() from PTEs will not work in COW mappings. Using follow_phys(), we might just get the address+protection of the anon folio (which is very wrong), or fail on swap/nonswap entries, failing follow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and track_pfn_copy(), not properly calling free_pfn_range(). In free_pfn_range(), we either wouldn't call memtype_free() or would call it with the wrong range, possibly leaking memory. To fix that, let's update follow_phys() to refuse returning anon folios, and fallback to using the stored PFN inside vma->vm_pgoff for COW mappings if we run into that. We will now properly handle untrack_pfn() with COW mappings, where we don't need the cachemode. We'll have to fail fork()->track_pfn_copy() if the first page was replaced by an anon folio, though: we'd have to store the cachemode in the VMA to make this work, likely growing the VMA size. For now, lets keep it simple and let track_pfn_copy() just fail in that case: it would have failed in the past with swap/nonswap entries already, and it would have done the wrong thing with anon folios. Simple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn(): <--- C reproducer ---> #include <stdio.h> #include <sys/mman.h> #include <unistd.h> #include <liburing.h> int main(void) { struct io_uring_params p = {}; int ring_fd; size_t size; char *map; ring_fd = io_uring_setup(1, &p); if (ring_fd < 0) { perror("io_uring_setup"); return 1; } size = p.sq_off.array + p.sq_entries * sizeof(unsigned); /* Map the submission queue ring MAP_PRIVATE */ map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE, ring_fd, IORING_OFF_SQ_RING); if (map == MAP_FAILED) { perror("mmap"); return 1; } /* We have at least one page. Let's COW it. */ *map = 0; pause(); return 0; } <--- C reproducer ---> On a system with 16 GiB RAM and swap configured: # ./iouring & # memhog 16G # killall iouring [ 301.552930] ------------[ cut here ]------------ [ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100 [ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g [ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1 [ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4 [ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100 [ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000 [ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282 [ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047 [ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200 [ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000 [ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000 [ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000 [ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000 [ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0 [ 301.565725] PKRU: 55555554 [ 301.565944] Call Trace: [ 301.566148] <TASK> [ 301.566325] ? untrack_pfn+0xf4/0x100 [ 301.566618] ? __warn+0x81/0x130 [ 301.566876] ? untrack_pfn+0xf4/0x100 [ 3 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-35877 is a vulnerability in the Linux kernel's handling of Page Attribute Table (PAT) entries in Copy-On-Write (COW) memory mappings on x86 architectures. The issue arises because the kernel's VM_PAT handling does not correctly manage PAT entries when page table entries (PTEs) are replaced during write faults with anonymous (anon) folios. Specifically, the function follow_phys(), which is used to retrieve the physical frame number (PFN) and cache mode from PTEs, fails to correctly handle anon folios in COW mappings. This can lead to incorrect physical address and cache mode retrieval or failure in swap/nonswap entries, triggering kernel warnings (WARN_ON_ONCE) in untrack_pfn() and track_pfn_copy(). The improper handling can cause memory leaks due to either memtype_free() not being called or being called with incorrect ranges during free_pfn_range(). The patch updates follow_phys() to refuse returning anon folios and instead fallback to using the stored PFN in the virtual memory area's (VMA) vm_pgoff field for COW mappings. It also adjusts untrack_pfn() to properly handle COW mappings without needing the cache mode. However, track_pfn_copy() will fail if the first page was replaced by an anon folio, as storing cache mode in the VMA would require increasing its size, which is not implemented yet. A simple C reproducer demonstrates triggering the WARN_ON_ONCE() warning by setting up an io_uring submission queue ring with MAP_PRIVATE mapping and forcing a COW page fault. The vulnerability affects Linux kernel versions prior to the fix and can cause kernel warnings and potential memory leaks under specific memory pressure conditions (e.g., large RAM and swap usage). No known exploits are reported in the wild, and no CVSS score has been assigned yet. The vulnerability is technical and low-level, affecting kernel memory management and page caching mechanisms.
Potential Impact
For European organizations, this vulnerability primarily poses a risk to systems running vulnerable Linux kernel versions, especially those using io_uring or other advanced memory management features that rely on COW mappings. The impact includes potential kernel warnings, memory leaks, and instability under high memory pressure scenarios. While it does not directly enable privilege escalation or remote code execution, the memory leaks and kernel warnings could degrade system performance, cause unexpected crashes, or lead to denial of service conditions. Organizations with critical Linux infrastructure, such as servers, cloud environments, and embedded systems, could experience reduced reliability and increased maintenance overhead. Given the kernel-level nature of the issue, it could affect a wide range of Linux distributions popular in Europe, impacting data centers, cloud providers, and enterprises relying on Linux-based systems.
Mitigation Recommendations
1. Apply the official Linux kernel patch that fixes the VM_PAT handling in COW mappings as soon as it is available from your Linux distribution vendor. 2. Upgrade to a Linux kernel version that includes the fix for CVE-2024-35877. 3. Monitor kernel logs for WARN_ON_ONCE() messages related to untrack_pfn() to detect potential exploitation or triggering of the vulnerability. 4. Limit the use of io_uring or other features that heavily rely on COW mappings on vulnerable kernels until patched. 5. Implement memory pressure monitoring and controls to avoid conditions that exacerbate the vulnerability, such as excessive swapping or memory hogging. 6. Coordinate with Linux distribution maintainers to ensure timely deployment of patches in enterprise environments. 7. For critical systems, consider kernel live patching solutions if available to minimize downtime during patch deployment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.110Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3753
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:57:23 PM
Last updated: 8/14/2025, 7:55:59 PM
Views: 13
Related Threats
CVE-2025-55581: n/a
UnknownCVE-2025-52085: n/a
UnknownCVE-2025-43760: CWE-79: Cross-site Scripting in Liferay Portal
MediumCVE-2025-55613: n/a
HighCVE-2025-57800: CWE-523: Unprotected Transport of Credentials in advplyr audiobookshelf
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.