CVE-2024-40918: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: parisc: Try to fix random segmentation faults in package builds PA-RISC systems with PA8800 and PA8900 processors have had problems with random segmentation faults for many years. Systems with earlier processors are much more stable. Systems with PA8800 and PA8900 processors have a large L2 cache which needs per page flushing for decent performance when a large range is flushed. The combined cache in these systems is also more sensitive to non-equivalent aliases than the caches in earlier systems. The majority of random segmentation faults that I have looked at appear to be memory corruption in memory allocated using mmap and malloc. My first attempt at fixing the random faults didn't work. On reviewing the cache code, I realized that there were two issues which the existing code didn't handle correctly. Both relate to cache move-in. Another issue is that the present bit in PTEs is racy. 1) PA-RISC caches have a mind of their own and they can speculatively load data and instructions for a page as long as there is a entry in the TLB for the page which allows move-in. TLBs are local to each CPU. Thus, the TLB entry for a page must be purged before flushing the page. This is particularly important on SMP systems. In some of the flush routines, the flush routine would be called and then the TLB entry would be purged. This was because the flush routine needed the TLB entry to do the flush. 2) My initial approach to trying the fix the random faults was to try and use flush_cache_page_if_present for all flush operations. This actually made things worse and led to a couple of hardware lockups. It finally dawned on me that some lines weren't being flushed because the pte check code was racy. This resulted in random inequivalent mappings to physical pages. The __flush_cache_page tmpalias flush sets up its own TLB entry and it doesn't need the existing TLB entry. As long as we can find the pte pointer for the vm page, we can get the pfn and physical address of the page. We can also purge the TLB entry for the page before doing the flush. Further, __flush_cache_page uses a special TLB entry that inhibits cache move-in. When switching page mappings, we need to ensure that lines are removed from the cache. It is not sufficient to just flush the lines to memory as they may come back. This made it clear that we needed to implement all the required flush operations using tmpalias routines. This includes flushes for user and kernel pages. After modifying the code to use tmpalias flushes, it became clear that the random segmentation faults were not fully resolved. The frequency of faults was worse on systems with a 64 MB L2 (PA8900) and systems with more CPUs (rp4440). The warning that I added to flush_cache_page_if_present to detect pages that couldn't be flushed triggered frequently on some systems. Helge and I looked at the pages that couldn't be flushed and found that the PTE was either cleared or for a swap page. Ignoring pages that were swapped out seemed okay but pages with cleared PTEs seemed problematic. I looked at routines related to pte_clear and noticed ptep_clear_flush. The default implementation just flushes the TLB entry. However, it was obvious that on parisc we need to flush the cache page as well. If we don't flush the cache page, stale lines will be left in the cache and cause random corruption. Once a PTE is cleared, there is no way to find the physical address associated with the PTE and flush the associated page at a later time. I implemented an updated change with a parisc specific version of ptep_clear_flush. It fixed the random data corruption on Helge's rp4440 and rp3440, as well as on my c8000. At this point, I realized that I could restore the code where we only flush in flush_cache_page_if_present if the page has been accessed. However, for this, we also need to flush the cache when the accessed bit is cleared in ---truncated---
AI Analysis
Technical Summary
CVE-2024-40918 addresses a long-standing vulnerability in the Linux kernel specifically affecting PA-RISC architecture systems equipped with PA8800 and PA8900 processors. These processors have a large L2 cache that requires careful per-page flushing to maintain performance and data integrity. The vulnerability arises from improper handling of cache flushing and Translation Lookaside Buffer (TLB) management, leading to random segmentation faults and memory corruption during package builds and other memory-intensive operations. The root cause involves the speculative cache move-in behavior of PA-RISC caches, which can load data and instructions based on TLB entries. The Linux kernel's existing cache flush routines did not correctly purge TLB entries before flushing pages, especially on symmetric multiprocessing (SMP) systems, resulting in stale cache lines and inconsistent memory views. Additionally, the page table entry (PTE) checks were racy, causing some cache lines to remain uncleared and leading to inequivalent physical page mappings. The fix involved implementing PA-RISC specific cache flush operations using temporary aliasing (tmpalias) flush routines that set up their own TLB entries and inhibit speculative cache move-in. Furthermore, the patch introduced a parisc-specific ptep_clear_flush function to flush cache pages when PTEs are cleared, preventing stale cache lines from causing random data corruption. Despite these fixes, the vulnerability highlights the complexity of cache and TLB management on PA-RISC systems and the critical need for architecture-specific handling in the Linux kernel. This issue primarily affects legacy PA-RISC hardware running Linux kernels prior to the patch, causing unpredictable segmentation faults and memory corruption that can destabilize systems and disrupt operations.
Potential Impact
For European organizations utilizing legacy PA-RISC hardware with PA8800 or PA8900 processors running affected Linux kernel versions, this vulnerability can cause random segmentation faults and memory corruption, leading to system instability and potential data loss. Such instability can disrupt critical services, especially in industrial, research, or governmental environments where legacy systems may still be in use. The unpredictable nature of the faults complicates troubleshooting and may result in increased downtime and maintenance costs. Although PA-RISC systems are niche and less common in Europe, organizations relying on them for specialized applications could face operational risks. The vulnerability does not appear to be exploitable for remote code execution or privilege escalation but can degrade system reliability and availability, impacting business continuity. Since the issue relates to low-level kernel memory management, it could also affect the integrity of data processed or stored on these systems, raising concerns for sensitive or regulated data environments.
Mitigation Recommendations
European organizations should first identify any PA-RISC based systems running Linux kernels susceptible to this vulnerability. Given the specialized nature of the hardware, inventory and asset management processes must include legacy architectures. The primary mitigation is to apply the official Linux kernel patches that implement the PA-RISC specific cache flush fixes and ptep_clear_flush enhancements. If patching is not immediately feasible, organizations should consider isolating affected systems from critical networks to reduce operational impact and avoid cascading failures. Monitoring system logs for segmentation faults and cache flush warnings can help detect exploitation of this issue. Additionally, organizations should evaluate the necessity of maintaining PA-RISC hardware and plan for migration to supported architectures to reduce long-term risk. For build environments, ensuring that package builds are conducted on stable, patched systems will prevent corruption and build failures. Finally, kernel developers and maintainers should review and test cache and TLB handling code for PA-RISC and similar architectures to prevent recurrence.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy
CVE-2024-40918: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: parisc: Try to fix random segmentation faults in package builds PA-RISC systems with PA8800 and PA8900 processors have had problems with random segmentation faults for many years. Systems with earlier processors are much more stable. Systems with PA8800 and PA8900 processors have a large L2 cache which needs per page flushing for decent performance when a large range is flushed. The combined cache in these systems is also more sensitive to non-equivalent aliases than the caches in earlier systems. The majority of random segmentation faults that I have looked at appear to be memory corruption in memory allocated using mmap and malloc. My first attempt at fixing the random faults didn't work. On reviewing the cache code, I realized that there were two issues which the existing code didn't handle correctly. Both relate to cache move-in. Another issue is that the present bit in PTEs is racy. 1) PA-RISC caches have a mind of their own and they can speculatively load data and instructions for a page as long as there is a entry in the TLB for the page which allows move-in. TLBs are local to each CPU. Thus, the TLB entry for a page must be purged before flushing the page. This is particularly important on SMP systems. In some of the flush routines, the flush routine would be called and then the TLB entry would be purged. This was because the flush routine needed the TLB entry to do the flush. 2) My initial approach to trying the fix the random faults was to try and use flush_cache_page_if_present for all flush operations. This actually made things worse and led to a couple of hardware lockups. It finally dawned on me that some lines weren't being flushed because the pte check code was racy. This resulted in random inequivalent mappings to physical pages. The __flush_cache_page tmpalias flush sets up its own TLB entry and it doesn't need the existing TLB entry. As long as we can find the pte pointer for the vm page, we can get the pfn and physical address of the page. We can also purge the TLB entry for the page before doing the flush. Further, __flush_cache_page uses a special TLB entry that inhibits cache move-in. When switching page mappings, we need to ensure that lines are removed from the cache. It is not sufficient to just flush the lines to memory as they may come back. This made it clear that we needed to implement all the required flush operations using tmpalias routines. This includes flushes for user and kernel pages. After modifying the code to use tmpalias flushes, it became clear that the random segmentation faults were not fully resolved. The frequency of faults was worse on systems with a 64 MB L2 (PA8900) and systems with more CPUs (rp4440). The warning that I added to flush_cache_page_if_present to detect pages that couldn't be flushed triggered frequently on some systems. Helge and I looked at the pages that couldn't be flushed and found that the PTE was either cleared or for a swap page. Ignoring pages that were swapped out seemed okay but pages with cleared PTEs seemed problematic. I looked at routines related to pte_clear and noticed ptep_clear_flush. The default implementation just flushes the TLB entry. However, it was obvious that on parisc we need to flush the cache page as well. If we don't flush the cache page, stale lines will be left in the cache and cause random corruption. Once a PTE is cleared, there is no way to find the physical address associated with the PTE and flush the associated page at a later time. I implemented an updated change with a parisc specific version of ptep_clear_flush. It fixed the random data corruption on Helge's rp4440 and rp3440, as well as on my c8000. At this point, I realized that I could restore the code where we only flush in flush_cache_page_if_present if the page has been accessed. However, for this, we also need to flush the cache when the accessed bit is cleared in ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-40918 addresses a long-standing vulnerability in the Linux kernel specifically affecting PA-RISC architecture systems equipped with PA8800 and PA8900 processors. These processors have a large L2 cache that requires careful per-page flushing to maintain performance and data integrity. The vulnerability arises from improper handling of cache flushing and Translation Lookaside Buffer (TLB) management, leading to random segmentation faults and memory corruption during package builds and other memory-intensive operations. The root cause involves the speculative cache move-in behavior of PA-RISC caches, which can load data and instructions based on TLB entries. The Linux kernel's existing cache flush routines did not correctly purge TLB entries before flushing pages, especially on symmetric multiprocessing (SMP) systems, resulting in stale cache lines and inconsistent memory views. Additionally, the page table entry (PTE) checks were racy, causing some cache lines to remain uncleared and leading to inequivalent physical page mappings. The fix involved implementing PA-RISC specific cache flush operations using temporary aliasing (tmpalias) flush routines that set up their own TLB entries and inhibit speculative cache move-in. Furthermore, the patch introduced a parisc-specific ptep_clear_flush function to flush cache pages when PTEs are cleared, preventing stale cache lines from causing random data corruption. Despite these fixes, the vulnerability highlights the complexity of cache and TLB management on PA-RISC systems and the critical need for architecture-specific handling in the Linux kernel. This issue primarily affects legacy PA-RISC hardware running Linux kernels prior to the patch, causing unpredictable segmentation faults and memory corruption that can destabilize systems and disrupt operations.
Potential Impact
For European organizations utilizing legacy PA-RISC hardware with PA8800 or PA8900 processors running affected Linux kernel versions, this vulnerability can cause random segmentation faults and memory corruption, leading to system instability and potential data loss. Such instability can disrupt critical services, especially in industrial, research, or governmental environments where legacy systems may still be in use. The unpredictable nature of the faults complicates troubleshooting and may result in increased downtime and maintenance costs. Although PA-RISC systems are niche and less common in Europe, organizations relying on them for specialized applications could face operational risks. The vulnerability does not appear to be exploitable for remote code execution or privilege escalation but can degrade system reliability and availability, impacting business continuity. Since the issue relates to low-level kernel memory management, it could also affect the integrity of data processed or stored on these systems, raising concerns for sensitive or regulated data environments.
Mitigation Recommendations
European organizations should first identify any PA-RISC based systems running Linux kernels susceptible to this vulnerability. Given the specialized nature of the hardware, inventory and asset management processes must include legacy architectures. The primary mitigation is to apply the official Linux kernel patches that implement the PA-RISC specific cache flush fixes and ptep_clear_flush enhancements. If patching is not immediately feasible, organizations should consider isolating affected systems from critical networks to reduce operational impact and avoid cascading failures. Monitoring system logs for segmentation faults and cache flush warnings can help detect exploitation of this issue. Additionally, organizations should evaluate the necessity of maintaining PA-RISC hardware and plan for migration to supported architectures to reduce long-term risk. For build environments, ensuring that package builds are conducted on stable, patched systems will prevent corruption and build failures. Finally, kernel developers and maintainers should review and test cache and TLB handling code for PA-RISC and similar architectures to prevent recurrence.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.581Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9827c4522896dcbe13a8
Added to database: 5/21/2025, 9:08:55 AM
Last enriched: 6/29/2025, 2:11:00 AM
Last updated: 7/27/2025, 12:21:08 AM
Views: 12
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.