CVE-2024-49934: Vulnerability in Linux Linux

Severity: highType: vulnerabilityCVE-2024-49934

In the Linux kernel, the following vulnerability has been resolved: fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name It's observed that a crash occurs during hot-remove a memory device, in which user is accessing the hugetlb. See calltrace as following: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790 Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s mirror dm_region_hash dm_log dm_mod CPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:do_user_addr_fault+0x2a0/0x790 Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41 RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046 RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658 R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000 FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x8d/0x190 ? do_user_addr_fault+0x2a0/0x790 ? report_bug+0x1c3/0x1d0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? do_user_addr_fault+0x2a0/0x790 ? exc_page_fault+0x31/0x200 exc_page_fault+0x68/0x200 <...snip...> BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI ---[ end trace 0000000000000000 ]--- BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dentry_name+0x1f4/0x440 <...snip...> ? dentry_name+0x2fa/0x440 vsnprintf+0x1f3/0x4f0 vprintk_store+0x23a/0x540 vprintk_emit+0x6d/0x330 _printk+0x58/0x80 dump_mapping+0x10b/0x1a0 ? __pfx_free_object_rcu+0x10/0x10 __dump_page+0x26b/0x3e0 ? vprintk_emit+0xe0/0x330 ? _printk+0x58/0x80 ? dump_page+0x17/0x50 dump_page+0x17/0x50 do_migrate_range+0x2f7/0x7f0 ? do_migrate_range+0x42/0x7f0 ? offline_pages+0x2f4/0x8c0 offline_pages+0x60a/0x8c0 memory_subsys_offline+0x9f/0x1c0 ? lockdep_hardirqs_on+0x77/0x100 ? _raw_spin_unlock_irqrestore+0x38/0x60 device_offline+0xe3/0x110 state_store+0x6e/0xc0 kernfs_fop_write_iter+0x143/0x200 vfs_write+0x39f/0x560 ksys_write+0x65/0xf0 do_syscall_64+0x62/0x130 Previously, some sanity check have been done in dump_mapping() before the print facility parsing '%pd' though, it's still possible to run into an invalid dentry.d_name.name. Since dump_mapping() only needs to dump the filename only, retrieve it by itself in a safer way to prevent an unnecessary crash. Note that either retrieving the filename with '%pd' or strncpy_from_kernel_nofault(), the filename could be unreliable.

AI Analysis

Technical Summary

CVE-2024-49934 is a vulnerability identified in the Linux kernel related to the handling of memory device hot-removal when userspace processes access huge page tables (hugetlb). The root cause lies in the function dump_mapping(), which attempts to access the dentry.d_name.name field without sufficient validation, leading to a kernel crash (oops) due to an invalid pointer dereference. The vulnerability manifests as a page fault triggered during the hot-remove operation of a memory device, specifically when the user process is interacting with hugetlb memory. The kernel call trace shows the fault occurring in do_user_addr_fault and dump_mapping functions, with the crash caused by an invalid dentry name pointer. Prior to this fix, dump_mapping() used the '%pd' printk format specifier or strncpy_from_kernel_nofault() to retrieve filenames, both of which could still result in unreliable or invalid filename pointers. The patch changes dump_mapping() to retrieve the filename in a safer manner, preventing the kernel from crashing due to invalid memory access. This vulnerability is a stability and availability issue rather than a direct security breach, as it causes a denial of service (DoS) by crashing the kernel. It affects Linux kernel versions around 6.10.0-rc2 and related commits identified by the given hashes. There are no known exploits in the wild at this time, and no CVSS score has been assigned yet. The vulnerability is relevant for systems using memory hot-remove features and hugetlb, which are common in high-performance computing, virtualization, and large memory server environments.

Potential Impact

For European organizations, the primary impact of CVE-2024-49934 is the potential for denial of service due to kernel crashes triggered by hot-removal of memory devices while hugetlb memory is in use. This could affect data centers, cloud providers, and enterprises running Linux-based servers with large memory configurations or memory device hot-plug/hot-remove capabilities. Systems involved in virtualization, container orchestration, or high-performance computing that leverage huge pages for memory optimization are particularly at risk. The crash could lead to service interruptions, data loss in volatile memory, and operational downtime. While this vulnerability does not appear to allow privilege escalation or remote code execution, the availability impact could disrupt critical infrastructure, especially in sectors such as finance, telecommunications, healthcare, and government services that rely heavily on Linux servers. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to accidental or malicious triggering of the crash. Organizations using QEMU or similar virtualization platforms on Linux may also be affected, as indicated by the hardware name in the call trace.

Mitigation Recommendations

To mitigate CVE-2024-49934, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, especially for kernels in the 6.10.x series or related versions. 2) Avoid performing memory device hot-remove operations on systems actively using hugetlb memory until patched. 3) Implement strict change management and maintenance windows when performing hardware hot-removal to minimize impact. 4) Monitor kernel logs for oops or page fault messages related to dump_mapping or hugetlb usage to detect potential exploitation or accidental triggers. 5) For virtualization environments, ensure hypervisor and guest kernel versions are updated and tested for this fix. 6) Consider disabling memory hot-remove features if not required or feasible to patch immediately. 7) Maintain robust backup and failover strategies to reduce downtime impact from unexpected kernel crashes. These steps go beyond generic advice by focusing on operational controls around memory device management and targeted patching of affected kernel versions.