CVE-2024-42317: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: avoid PMD-size page cache if needed xarray can't support arbitrary page cache size. the largest and supported page cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71 ("mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray"). However, it's possible to have 512MB page cache in the huge memory's collapsing path on ARM64 system whose base page size is 64KB. 512MB page cache is breaking the limitation and a warning is raised when the xarray entry is split as shown in the following example. [root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize KernelPageSize: 64 kB [root@dhcp-10-26-1-207 ~]# cat /tmp/test.c : int main(int argc, char **argv) { const char *filename = TEST_XFS_FILENAME; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret = 0; if (pgsize != 0x10000) { fprintf(stdout, "System with 64KB base page size is required!\n"); return -EPERM; } system("echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb"); system("echo 1 > /proc/sys/vm/drop_caches"); /* Open the xfs file */ fd = open(filename, O_RDONLY); assert(fd > 0); /* Create VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0); assert(buf != (void *)-1); fprintf(stdout, "mapped buffer at 0x%p\n", buf); /* Populate VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE); assert(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ); assert(ret == 0); /* Collapse VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); assert(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE); if (ret) { fprintf(stdout, "Error %d to madvise(MADV_COLLAPSE)\n", errno); goto out; } /* Split xarray entry. Write permission is needed */ munmap(buf, TEST_MEM_SIZE); buf = (void *)-1; close(fd); fd = open(filename, O_RDWR); assert(fd > 0); fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - pgsize, pgsize); out: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); if (fd > 0) close(fd); return ret; } [root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test [root@dhcp-10-26-1-207 ~]# /tmp/test ------------[ cut here ]------------ WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \ xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \ sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x780 sp : ffff8000ac32f660 x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0 x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000 x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8 x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x780 truncate_inode_partial_folio+0xdc/0x160 truncate_inode_pages_range+0x1b4/0x4a8 truncate_pagecache_range+0x84/0xa ---truncated---
AI Analysis
Technical Summary
CVE-2024-42317 is a vulnerability identified in the Linux kernel, specifically related to the handling of huge memory pages on ARM64 architectures with a base page size of 64KB. The issue arises from the Linux kernel's memory management subsystem, particularly within the 'mm/huge_memory' code that manages huge pages and the page cache. The vulnerability is due to the xarray data structure's inability to support arbitrary page cache sizes beyond a defined maximum (MAX_PAGECACHE_ORDER). However, on ARM64 systems with 64KB base page size, it is possible to have a 512MB page cache in the huge memory collapsing path, which exceeds this limitation. This discrepancy causes the kernel to raise warnings and potentially leads to unstable behavior or memory corruption during operations that involve splitting xarray entries, such as collapsing huge pages or truncating page cache ranges. The vulnerability manifests when a user-space process performs a sequence of memory management operations involving mmap, madvise with MADV_NOHUGEPAGE, MADV_POPULATE_READ, MADV_HUGEPAGE, and MADV_COLLAPSE, followed by file operations that punch holes in files (fallocate with FALLOC_FL_PUNCH_HOLE). This sequence triggers the kernel to split xarray entries improperly, leading to warnings and potential kernel instability. The kernel warning trace indicates the problem occurs in the function xas_split_alloc, which is critical for managing xarray entries representing page cache mappings. This vulnerability affects Linux kernel versions around 6.10.0-rc7 and likely other versions that share the same memory management implementation. It is specific to ARM64 systems with 64KB base page size, which is common in certain server and embedded environments. The vulnerability does not have a known exploit in the wild yet, and no CVSS score has been assigned. However, the underlying issue could lead to kernel crashes or memory corruption, which may be leveraged for denial of service or potentially privilege escalation if combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of CVE-2024-42317 depends largely on their deployment of ARM64-based Linux systems with 64KB base page size. Such systems are increasingly used in cloud infrastructure, edge computing, and specialized server environments. A successful exploitation could cause kernel panics or memory corruption, leading to denial of service conditions on critical servers or devices. This could disrupt business operations, especially for organizations relying on ARM64 hardware for virtualization, container orchestration, or high-performance computing. Although no direct exploit is known, the vulnerability could be a vector for attackers to destabilize systems or potentially escalate privileges if chained with other vulnerabilities. This risk is higher in environments where untrusted users or processes have the ability to perform the memory management operations described. The impact on confidentiality and integrity is indirect but possible if kernel memory corruption leads to unauthorized access or data leakage. Availability impact is more immediate due to potential system crashes. European organizations in sectors such as telecommunications, cloud service providers, research institutions, and government agencies that deploy ARM64 Linux servers should be particularly vigilant. The vulnerability could also affect embedded systems used in critical infrastructure, increasing the risk profile for industrial control systems and IoT deployments.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly apply Linux kernel patches that address this vulnerability once available from their Linux distribution vendors or upstream kernel sources. Monitoring vendor advisories for updated kernel packages is critical. 2. Restrict Access: Limit the ability of unprivileged users or processes to perform the specific sequence of memory management operations that trigger the vulnerability. This includes controlling access to mmap, madvise, and fallocate system calls through mandatory access controls (e.g., SELinux, AppArmor) or container runtime restrictions. 3. Hardware and Architecture Awareness: Identify and inventory ARM64 systems with 64KB base page size in the environment. Prioritize patching and monitoring on these systems as they are directly affected. 4. Monitoring and Logging: Enable detailed kernel logging and monitor for warning messages similar to those described (e.g., warnings from xas_split_alloc). Early detection of attempts to exploit or trigger the vulnerability can aid in incident response. 5. Limit Huge Page Usage: Where feasible, configure systems to limit or disable huge page collapsing features on affected ARM64 systems until patches are applied. 6. Test Updates in Staging: Due to the complexity of kernel memory management, test kernel updates in staging environments to ensure stability before wide deployment. 7. Incident Response Preparedness: Prepare for potential denial of service incidents by having recovery procedures and backups in place for affected systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Ireland
CVE-2024-42317: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: avoid PMD-size page cache if needed xarray can't support arbitrary page cache size. the largest and supported page cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71 ("mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray"). However, it's possible to have 512MB page cache in the huge memory's collapsing path on ARM64 system whose base page size is 64KB. 512MB page cache is breaking the limitation and a warning is raised when the xarray entry is split as shown in the following example. [root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize KernelPageSize: 64 kB [root@dhcp-10-26-1-207 ~]# cat /tmp/test.c : int main(int argc, char **argv) { const char *filename = TEST_XFS_FILENAME; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret = 0; if (pgsize != 0x10000) { fprintf(stdout, "System with 64KB base page size is required!\n"); return -EPERM; } system("echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb"); system("echo 1 > /proc/sys/vm/drop_caches"); /* Open the xfs file */ fd = open(filename, O_RDONLY); assert(fd > 0); /* Create VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0); assert(buf != (void *)-1); fprintf(stdout, "mapped buffer at 0x%p\n", buf); /* Populate VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE); assert(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ); assert(ret == 0); /* Collapse VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); assert(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE); if (ret) { fprintf(stdout, "Error %d to madvise(MADV_COLLAPSE)\n", errno); goto out; } /* Split xarray entry. Write permission is needed */ munmap(buf, TEST_MEM_SIZE); buf = (void *)-1; close(fd); fd = open(filename, O_RDWR); assert(fd > 0); fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - pgsize, pgsize); out: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); if (fd > 0) close(fd); return ret; } [root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test [root@dhcp-10-26-1-207 ~]# /tmp/test ------------[ cut here ]------------ WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \ xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \ sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x780 sp : ffff8000ac32f660 x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0 x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000 x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8 x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x780 truncate_inode_partial_folio+0xdc/0x160 truncate_inode_pages_range+0x1b4/0x4a8 truncate_pagecache_range+0x84/0xa ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-42317 is a vulnerability identified in the Linux kernel, specifically related to the handling of huge memory pages on ARM64 architectures with a base page size of 64KB. The issue arises from the Linux kernel's memory management subsystem, particularly within the 'mm/huge_memory' code that manages huge pages and the page cache. The vulnerability is due to the xarray data structure's inability to support arbitrary page cache sizes beyond a defined maximum (MAX_PAGECACHE_ORDER). However, on ARM64 systems with 64KB base page size, it is possible to have a 512MB page cache in the huge memory collapsing path, which exceeds this limitation. This discrepancy causes the kernel to raise warnings and potentially leads to unstable behavior or memory corruption during operations that involve splitting xarray entries, such as collapsing huge pages or truncating page cache ranges. The vulnerability manifests when a user-space process performs a sequence of memory management operations involving mmap, madvise with MADV_NOHUGEPAGE, MADV_POPULATE_READ, MADV_HUGEPAGE, and MADV_COLLAPSE, followed by file operations that punch holes in files (fallocate with FALLOC_FL_PUNCH_HOLE). This sequence triggers the kernel to split xarray entries improperly, leading to warnings and potential kernel instability. The kernel warning trace indicates the problem occurs in the function xas_split_alloc, which is critical for managing xarray entries representing page cache mappings. This vulnerability affects Linux kernel versions around 6.10.0-rc7 and likely other versions that share the same memory management implementation. It is specific to ARM64 systems with 64KB base page size, which is common in certain server and embedded environments. The vulnerability does not have a known exploit in the wild yet, and no CVSS score has been assigned. However, the underlying issue could lead to kernel crashes or memory corruption, which may be leveraged for denial of service or potentially privilege escalation if combined with other vulnerabilities.
Potential Impact
For European organizations, the impact of CVE-2024-42317 depends largely on their deployment of ARM64-based Linux systems with 64KB base page size. Such systems are increasingly used in cloud infrastructure, edge computing, and specialized server environments. A successful exploitation could cause kernel panics or memory corruption, leading to denial of service conditions on critical servers or devices. This could disrupt business operations, especially for organizations relying on ARM64 hardware for virtualization, container orchestration, or high-performance computing. Although no direct exploit is known, the vulnerability could be a vector for attackers to destabilize systems or potentially escalate privileges if chained with other vulnerabilities. This risk is higher in environments where untrusted users or processes have the ability to perform the memory management operations described. The impact on confidentiality and integrity is indirect but possible if kernel memory corruption leads to unauthorized access or data leakage. Availability impact is more immediate due to potential system crashes. European organizations in sectors such as telecommunications, cloud service providers, research institutions, and government agencies that deploy ARM64 Linux servers should be particularly vigilant. The vulnerability could also affect embedded systems used in critical infrastructure, increasing the risk profile for industrial control systems and IoT deployments.
Mitigation Recommendations
1. Apply Kernel Updates: Organizations should promptly apply Linux kernel patches that address this vulnerability once available from their Linux distribution vendors or upstream kernel sources. Monitoring vendor advisories for updated kernel packages is critical. 2. Restrict Access: Limit the ability of unprivileged users or processes to perform the specific sequence of memory management operations that trigger the vulnerability. This includes controlling access to mmap, madvise, and fallocate system calls through mandatory access controls (e.g., SELinux, AppArmor) or container runtime restrictions. 3. Hardware and Architecture Awareness: Identify and inventory ARM64 systems with 64KB base page size in the environment. Prioritize patching and monitoring on these systems as they are directly affected. 4. Monitoring and Logging: Enable detailed kernel logging and monitor for warning messages similar to those described (e.g., warnings from xas_split_alloc). Early detection of attempts to exploit or trigger the vulnerability can aid in incident response. 5. Limit Huge Page Usage: Where feasible, configure systems to limit or disable huge page collapsing features on affected ARM64 systems until patches are applied. 6. Test Updates in Staging: Due to the complexity of kernel memory management, test kernel updates in staging environments to ensure stability before wide deployment. 7. Incident Response Preparedness: Prepare for potential denial of service incidents by having recovery procedures and backups in place for affected systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-30T07:40:12.278Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9828c4522896dcbe1f0a
Added to database: 5/21/2025, 9:08:56 AM
Last enriched: 6/29/2025, 7:10:52 AM
Last updated: 8/14/2025, 6:44:05 PM
Views: 21
Related Threats
CVE-2025-9311: SQL Injection in itsourcecode Apartment Management System
MediumCVE-2025-57765: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
MediumCVE-2025-57764: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LabRedesCefetRJ WeGIA
MediumCVE-2025-55522: n/a
HighCVE-2025-55521: n/a
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.