CVE-2024-50022: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: device-dax: correct pgoff align in dax_set_mapping() pgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise, vmf->address not aligned to fault_size will be aligned to the next alignment, that can result in memory failure getting the wrong address. It's a subtle situation that only can be observed in page_mapped_in_vma() after the page is page fault handled by dev_dax_huge_fault. Generally, there is little chance to perform page_mapped_in_vma in dev-dax's page unless in specific error injection to the dax device to trigger an MCE - memory-failure. In that case, page_mapped_in_vma() will be triggered to determine which task is accessing the failure address and kill that task in the end. We used self-developed dax device (which is 2M aligned mapping) , to perform error injection to random address. It turned out that error injected to non-2M-aligned address was causing endless MCE until panic. Because page_mapped_in_vma() kept resulting wrong address and the task accessing the failure address was never killed properly: [ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.049006] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.448042] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.792026] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.162502] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.461116] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.764730] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.042128] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.464293] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.818090] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3787.085297] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page: Recovered It took us several weeks to pinpoint this problem, but we eventually used bpftrace to trace the page fault and mce address and successfully identified the issue. Joao added: ; Likely we never reproduce in production because we always pin : device-dax regions in the region align they provide (Qemu does : similarly with prealloc in hugetlb/file backed memory). I think this : bug requires that we touch *unpinned* device-dax regions unaligned to : the device-dax selected alignment (page size i.e. 4K/2M/1G)
AI Analysis
Technical Summary
CVE-2024-50022 is a vulnerability identified in the Linux kernel's device-dax subsystem, specifically in the dax_set_mapping() function. The issue arises from improper alignment of the page offset (pgoff) using ALIGN() instead of ALIGN_DOWN(). This misalignment causes the vmf->address to be aligned incorrectly to the next alignment boundary rather than the correct lower boundary. The consequence is that during memory failure handling, particularly in the page_mapped_in_vma() function after a page fault handled by dev_dax_huge_fault, the system may reference an incorrect memory address. This subtle bug manifests primarily under error injection scenarios targeting device-dax regions that are not aligned to the expected device-dax alignment (e.g., 2MB for huge pages). When such unaligned accesses occur, the kernel's memory failure recovery mechanism repeatedly triggers Machine Check Exceptions (MCEs) at the wrong address, causing endless MCE loops and potentially leading to system panic. The vulnerability is difficult to reproduce in typical production environments because device-dax regions are usually pinned and aligned correctly. However, in custom or error-injection testing environments using self-developed dax devices with 2MB aligned mappings, the issue was observed as continuous memory failure logs and uncorrected hardware memory errors. The root cause is the incorrect alignment logic in dax_set_mapping(), which fails to properly identify the task accessing the faulty memory address, preventing the kernel from killing the offending task and recovering gracefully. This vulnerability affects Linux kernel versions identified by the commit hash b9b5777f09be84d0de472ded2253d2f5101427f2 and potentially others with similar device-dax implementations. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems utilizing device-dax for direct access to persistent memory or similar hardware, especially in environments where custom device-dax configurations or error injection testing is performed. The impact includes potential system instability or kernel panics due to endless MCE loops triggered by unaligned memory accesses. This can lead to denial of service conditions affecting critical infrastructure, cloud providers, and data centers relying on Linux servers with device-dax enabled. Confidentiality and integrity impacts are minimal since the vulnerability does not directly allow arbitrary code execution or data leakage. However, availability is significantly impacted due to potential system crashes. Organizations running high-availability services or real-time systems on Linux with device-dax support may experience service disruptions. The subtlety of the bug and its dependence on specific alignment conditions mean that many standard Linux deployments may not be affected, but specialized environments using huge pages and device-dax mappings are at risk. Given the complexity of reproducing the issue, detection and diagnosis require advanced tracing tools like bpftrace, which may limit rapid identification in operational environments.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that correct the alignment logic in dax_set_mapping() as soon as they become available from trusted sources or Linux distributions. 2) Audit and verify device-dax configurations to ensure that all device-dax regions are properly pinned and aligned to their expected boundaries (e.g., 2MB for huge pages), avoiding unpinned or unaligned mappings that trigger the bug. 3) Implement enhanced monitoring for MCE logs and memory failure messages to detect symptoms of this issue early, using kernel tracing tools such as bpftrace to correlate page faults and MCE addresses. 4) For environments performing error injection or custom device-dax development, conduct thorough testing with the patched kernel to validate stability and correct memory failure handling. 5) Consider isolating or limiting the use of device-dax features in critical production systems until patches are applied and configurations verified. 6) Engage with Linux vendor support channels for guidance on backported fixes and best practices for device-dax usage. These steps go beyond generic advice by focusing on alignment verification, proactive monitoring, and controlled deployment of device-dax features.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2024-50022: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: device-dax: correct pgoff align in dax_set_mapping() pgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise, vmf->address not aligned to fault_size will be aligned to the next alignment, that can result in memory failure getting the wrong address. It's a subtle situation that only can be observed in page_mapped_in_vma() after the page is page fault handled by dev_dax_huge_fault. Generally, there is little chance to perform page_mapped_in_vma in dev-dax's page unless in specific error injection to the dax device to trigger an MCE - memory-failure. In that case, page_mapped_in_vma() will be triggered to determine which task is accessing the failure address and kill that task in the end. We used self-developed dax device (which is 2M aligned mapping) , to perform error injection to random address. It turned out that error injected to non-2M-aligned address was causing endless MCE until panic. Because page_mapped_in_vma() kept resulting wrong address and the task accessing the failure address was never killed properly: [ 3783.719419] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.049006] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.049190] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.448042] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.448186] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3784.792026] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3784.792179] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.162502] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.162633] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.461116] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.461247] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3785.764730] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3785.764859] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.042128] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.042259] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.464293] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.464423] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3786.818090] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3786.818217] Memory failure: 0x200c9742: recovery action for dax page: Recovered [ 3787.085297] mce: Uncorrected hardware memory error in user-access at 200c9742380 [ 3787.085424] Memory failure: 0x200c9742: recovery action for dax page: Recovered It took us several weeks to pinpoint this problem, but we eventually used bpftrace to trace the page fault and mce address and successfully identified the issue. Joao added: ; Likely we never reproduce in production because we always pin : device-dax regions in the region align they provide (Qemu does : similarly with prealloc in hugetlb/file backed memory). I think this : bug requires that we touch *unpinned* device-dax regions unaligned to : the device-dax selected alignment (page size i.e. 4K/2M/1G)
AI-Powered Analysis
Technical Analysis
CVE-2024-50022 is a vulnerability identified in the Linux kernel's device-dax subsystem, specifically in the dax_set_mapping() function. The issue arises from improper alignment of the page offset (pgoff) using ALIGN() instead of ALIGN_DOWN(). This misalignment causes the vmf->address to be aligned incorrectly to the next alignment boundary rather than the correct lower boundary. The consequence is that during memory failure handling, particularly in the page_mapped_in_vma() function after a page fault handled by dev_dax_huge_fault, the system may reference an incorrect memory address. This subtle bug manifests primarily under error injection scenarios targeting device-dax regions that are not aligned to the expected device-dax alignment (e.g., 2MB for huge pages). When such unaligned accesses occur, the kernel's memory failure recovery mechanism repeatedly triggers Machine Check Exceptions (MCEs) at the wrong address, causing endless MCE loops and potentially leading to system panic. The vulnerability is difficult to reproduce in typical production environments because device-dax regions are usually pinned and aligned correctly. However, in custom or error-injection testing environments using self-developed dax devices with 2MB aligned mappings, the issue was observed as continuous memory failure logs and uncorrected hardware memory errors. The root cause is the incorrect alignment logic in dax_set_mapping(), which fails to properly identify the task accessing the faulty memory address, preventing the kernel from killing the offending task and recovering gracefully. This vulnerability affects Linux kernel versions identified by the commit hash b9b5777f09be84d0de472ded2253d2f5101427f2 and potentially others with similar device-dax implementations. No known exploits are reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems utilizing device-dax for direct access to persistent memory or similar hardware, especially in environments where custom device-dax configurations or error injection testing is performed. The impact includes potential system instability or kernel panics due to endless MCE loops triggered by unaligned memory accesses. This can lead to denial of service conditions affecting critical infrastructure, cloud providers, and data centers relying on Linux servers with device-dax enabled. Confidentiality and integrity impacts are minimal since the vulnerability does not directly allow arbitrary code execution or data leakage. However, availability is significantly impacted due to potential system crashes. Organizations running high-availability services or real-time systems on Linux with device-dax support may experience service disruptions. The subtlety of the bug and its dependence on specific alignment conditions mean that many standard Linux deployments may not be affected, but specialized environments using huge pages and device-dax mappings are at risk. Given the complexity of reproducing the issue, detection and diagnosis require advanced tracing tools like bpftrace, which may limit rapid identification in operational environments.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the latest Linux kernel patches that correct the alignment logic in dax_set_mapping() as soon as they become available from trusted sources or Linux distributions. 2) Audit and verify device-dax configurations to ensure that all device-dax regions are properly pinned and aligned to their expected boundaries (e.g., 2MB for huge pages), avoiding unpinned or unaligned mappings that trigger the bug. 3) Implement enhanced monitoring for MCE logs and memory failure messages to detect symptoms of this issue early, using kernel tracing tools such as bpftrace to correlate page faults and MCE addresses. 4) For environments performing error injection or custom device-dax development, conduct thorough testing with the patched kernel to validate stability and correct memory failure handling. 5) Consider isolating or limiting the use of device-dax features in critical production systems until patches are applied and configurations verified. 6) Engage with Linux vendor support channels for guidance on backported fixes and best practices for device-dax usage. These steps go beyond generic advice by focusing on alignment verification, proactive monitoring, and controlled deployment of device-dax features.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.064Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9824c4522896dcbdfd01
Added to database: 5/21/2025, 9:08:52 AM
Last enriched: 6/28/2025, 4:25:32 PM
Last updated: 8/1/2025, 6:08:02 AM
Views: 9
Related Threats
CVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumCVE-2025-9096: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.