CVE-2024-53219: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: virtiofs: use pages instead of pointer for kernel direct IO When trying to insert a 10MB kernel module kept in a virtio-fs with cache disabled, the following warning was reported: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ...... Modules linked in: CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:__alloc_pages+0x2bf/0x380 ...... Call Trace: <TASK> ? __warn+0x8e/0x150 ? __alloc_pages+0x2bf/0x380 __kmalloc_large_node+0x86/0x160 __kmalloc+0x33c/0x480 virtio_fs_enqueue_req+0x240/0x6d0 virtio_fs_wake_pending_and_unlock+0x7f/0x190 queue_request_and_unlock+0x55/0x60 fuse_simple_request+0x152/0x2b0 fuse_direct_io+0x5d2/0x8c0 fuse_file_read_iter+0x121/0x160 __kernel_read+0x151/0x2d0 kernel_read+0x45/0x50 kernel_read_file+0x1a9/0x2a0 init_module_from_file+0x6a/0xe0 idempotent_init_module+0x175/0x230 __x64_sys_finit_module+0x5d/0xb0 x64_sys_call+0x1c3/0x9e0 do_syscall_64+0x3d/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ...... </TASK> ---[ end trace 0000000000000000 ]--- The warning is triggered as follows: 1) syscall finit_module() handles the module insertion and it invokes kernel_read_file() to read the content of the module first. 2) kernel_read_file() allocates a 10MB buffer by using vmalloc() and passes it to kernel_read(). kernel_read() constructs a kvec iter by using iov_iter_kvec() and passes it to fuse_file_read_iter(). 3) virtio-fs disables the cache, so fuse_file_read_iter() invokes fuse_direct_io(). As for now, the maximal read size for kvec iter is only limited by fc->max_read. For virtio-fs, max_read is UINT_MAX, so fuse_direct_io() doesn't split the 10MB buffer. It saves the address and the size of the 10MB-sized buffer in out_args[0] of a fuse request and passes the fuse request to virtio_fs_wake_pending_and_unlock(). 4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() to queue the request. Because virtiofs need DMA-able address, so virtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer for all fuse args, copies these args into the bounce buffer and passed the physical address of the bounce buffer to virtiofsd. The total length of these fuse args for the passed fuse request is about 10MB, so copy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter and it triggers the warning in __alloc_pages(): if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) return NULL; 5) virtio_fs_enqueue_req() will retry the memory allocation in a kworker, but it won't help, because kmalloc() will always return NULL due to the abnormal size and finit_module() will hang forever. A feasible solution is to limit the value of max_read for virtio-fs, so the length passed to kmalloc() will be limited. However it will affect the maximal read size for normal read. And for virtio-fs write initiated from kernel, it has the similar problem but now there is no way to limit fc->max_write in kernel. So instead of limiting both the values of max_read and max_write in kernel, introducing use_pages_for_kvec_io in fuse_conn and setting it as true in virtiofs. When use_pages_for_kvec_io is enabled, fuse will use pages instead of pointer to pass the KVEC_IO data. After switching to pages for KVEC_IO data, these pages will be used for DMA through virtio-fs. If these pages are backed by vmalloc(), {flush|invalidate}_kernel_vmap_range() are necessary to flush or invalidate the cache before the DMA operation. So add two new fields in fuse_args_pages to record the base address of vmalloc area and the condition indicating whether invalidation is needed. Perform the flush in fuse_get_user_pages() for write operations and the invalidation in fuse_release_user_pages() for read operations. It may seem necessary to introduce another fie ---truncated---
AI Analysis
Technical Summary
CVE-2024-53219 is a vulnerability in the Linux kernel's virtio-fs implementation related to how kernel direct IO operations handle large memory allocations during module insertion. Specifically, when inserting a large kernel module (e.g., 10MB) stored on a virtio-fs filesystem with caching disabled, the kernel attempts to allocate a large contiguous buffer using kmalloc() for DMA operations. However, kmalloc() is not designed to handle such large allocations (exceeding the maximum page order), triggering a warning and ultimately causing the memory allocation to fail. This failure leads to the finit_module() syscall hanging indefinitely, effectively causing a denial of service (DoS) condition during module insertion. The root cause is that virtio-fs disables caching and sets the maximum read size (max_read) to UINT_MAX, allowing very large read requests that are not split. When the kernel reads the module file, it uses a kvec iterator that passes a 10MB buffer to fuse_file_read_iter(), which calls fuse_direct_io(). The large buffer is then copied into a bounce buffer allocated by kmalloc() for DMA, but kmalloc() cannot allocate such a large buffer, causing the failure. The fix involves introducing a new flag, use_pages_for_kvec_io, in the fuse connection, which is enabled for virtio-fs. This flag changes the data passing mechanism from pointers to pages, allowing the kernel to handle large IO buffers more efficiently without requiring large contiguous kmalloc allocations. Additional cache flush and invalidate operations are introduced to maintain data consistency for DMA operations on vmalloc-backed pages. This vulnerability affects Linux kernel versions including the 6.9.0-rc5+ release candidate and likely other versions using virtio-fs with caching disabled. Although no known exploits are reported in the wild, the issue can cause kernel hangs during module insertion, impacting system stability and availability.
Potential Impact
For European organizations relying on Linux systems with virtio-fs (commonly used in virtualized environments such as QEMU/KVM), this vulnerability can lead to denial of service conditions when inserting kernel modules from virtio-fs filesystems with caching disabled. This is particularly relevant for cloud providers, data centers, and enterprises using virtualization extensively. The inability to load kernel modules can prevent security patches or new drivers from being applied dynamically, increasing exposure to other threats. Furthermore, system hangs during module insertion can disrupt critical services, impacting availability and operational continuity. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact can be significant in environments requiring high uptime and dynamic kernel module management.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce the use_pages_for_kvec_io flag and related fixes to virtio-fs to handle large IO buffers safely. 2. Until patches are applied, avoid inserting large kernel modules from virtio-fs filesystems with caching disabled. 3. Consider enabling caching on virtio-fs mounts if feasible, to reduce the likelihood of triggering this issue. 4. Monitor kernel logs for warnings related to __alloc_pages and kmalloc failures during module insertion. 5. For environments heavily dependent on virtio-fs, test kernel module insertion workflows after patching to ensure stability. 6. Implement robust monitoring and alerting on virtualization hosts to detect hangs or stalls during kernel module operations. 7. Coordinate with virtualization platform vendors to ensure virtio-fs implementations are updated promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-53219: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: virtiofs: use pages instead of pointer for kernel direct IO When trying to insert a 10MB kernel module kept in a virtio-fs with cache disabled, the following warning was reported: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 404 at mm/page_alloc.c:4551 ...... Modules linked in: CPU: 1 PID: 404 Comm: insmod Not tainted 6.9.0-rc5+ #123 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:__alloc_pages+0x2bf/0x380 ...... Call Trace: <TASK> ? __warn+0x8e/0x150 ? __alloc_pages+0x2bf/0x380 __kmalloc_large_node+0x86/0x160 __kmalloc+0x33c/0x480 virtio_fs_enqueue_req+0x240/0x6d0 virtio_fs_wake_pending_and_unlock+0x7f/0x190 queue_request_and_unlock+0x55/0x60 fuse_simple_request+0x152/0x2b0 fuse_direct_io+0x5d2/0x8c0 fuse_file_read_iter+0x121/0x160 __kernel_read+0x151/0x2d0 kernel_read+0x45/0x50 kernel_read_file+0x1a9/0x2a0 init_module_from_file+0x6a/0xe0 idempotent_init_module+0x175/0x230 __x64_sys_finit_module+0x5d/0xb0 x64_sys_call+0x1c3/0x9e0 do_syscall_64+0x3d/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ...... </TASK> ---[ end trace 0000000000000000 ]--- The warning is triggered as follows: 1) syscall finit_module() handles the module insertion and it invokes kernel_read_file() to read the content of the module first. 2) kernel_read_file() allocates a 10MB buffer by using vmalloc() and passes it to kernel_read(). kernel_read() constructs a kvec iter by using iov_iter_kvec() and passes it to fuse_file_read_iter(). 3) virtio-fs disables the cache, so fuse_file_read_iter() invokes fuse_direct_io(). As for now, the maximal read size for kvec iter is only limited by fc->max_read. For virtio-fs, max_read is UINT_MAX, so fuse_direct_io() doesn't split the 10MB buffer. It saves the address and the size of the 10MB-sized buffer in out_args[0] of a fuse request and passes the fuse request to virtio_fs_wake_pending_and_unlock(). 4) virtio_fs_wake_pending_and_unlock() uses virtio_fs_enqueue_req() to queue the request. Because virtiofs need DMA-able address, so virtio_fs_enqueue_req() uses kmalloc() to allocate a bounce buffer for all fuse args, copies these args into the bounce buffer and passed the physical address of the bounce buffer to virtiofsd. The total length of these fuse args for the passed fuse request is about 10MB, so copy_args_to_argbuf() invokes kmalloc() with a 10MB size parameter and it triggers the warning in __alloc_pages(): if (WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)) return NULL; 5) virtio_fs_enqueue_req() will retry the memory allocation in a kworker, but it won't help, because kmalloc() will always return NULL due to the abnormal size and finit_module() will hang forever. A feasible solution is to limit the value of max_read for virtio-fs, so the length passed to kmalloc() will be limited. However it will affect the maximal read size for normal read. And for virtio-fs write initiated from kernel, it has the similar problem but now there is no way to limit fc->max_write in kernel. So instead of limiting both the values of max_read and max_write in kernel, introducing use_pages_for_kvec_io in fuse_conn and setting it as true in virtiofs. When use_pages_for_kvec_io is enabled, fuse will use pages instead of pointer to pass the KVEC_IO data. After switching to pages for KVEC_IO data, these pages will be used for DMA through virtio-fs. If these pages are backed by vmalloc(), {flush|invalidate}_kernel_vmap_range() are necessary to flush or invalidate the cache before the DMA operation. So add two new fields in fuse_args_pages to record the base address of vmalloc area and the condition indicating whether invalidation is needed. Perform the flush in fuse_get_user_pages() for write operations and the invalidation in fuse_release_user_pages() for read operations. It may seem necessary to introduce another fie ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-53219 is a vulnerability in the Linux kernel's virtio-fs implementation related to how kernel direct IO operations handle large memory allocations during module insertion. Specifically, when inserting a large kernel module (e.g., 10MB) stored on a virtio-fs filesystem with caching disabled, the kernel attempts to allocate a large contiguous buffer using kmalloc() for DMA operations. However, kmalloc() is not designed to handle such large allocations (exceeding the maximum page order), triggering a warning and ultimately causing the memory allocation to fail. This failure leads to the finit_module() syscall hanging indefinitely, effectively causing a denial of service (DoS) condition during module insertion. The root cause is that virtio-fs disables caching and sets the maximum read size (max_read) to UINT_MAX, allowing very large read requests that are not split. When the kernel reads the module file, it uses a kvec iterator that passes a 10MB buffer to fuse_file_read_iter(), which calls fuse_direct_io(). The large buffer is then copied into a bounce buffer allocated by kmalloc() for DMA, but kmalloc() cannot allocate such a large buffer, causing the failure. The fix involves introducing a new flag, use_pages_for_kvec_io, in the fuse connection, which is enabled for virtio-fs. This flag changes the data passing mechanism from pointers to pages, allowing the kernel to handle large IO buffers more efficiently without requiring large contiguous kmalloc allocations. Additional cache flush and invalidate operations are introduced to maintain data consistency for DMA operations on vmalloc-backed pages. This vulnerability affects Linux kernel versions including the 6.9.0-rc5+ release candidate and likely other versions using virtio-fs with caching disabled. Although no known exploits are reported in the wild, the issue can cause kernel hangs during module insertion, impacting system stability and availability.
Potential Impact
For European organizations relying on Linux systems with virtio-fs (commonly used in virtualized environments such as QEMU/KVM), this vulnerability can lead to denial of service conditions when inserting kernel modules from virtio-fs filesystems with caching disabled. This is particularly relevant for cloud providers, data centers, and enterprises using virtualization extensively. The inability to load kernel modules can prevent security patches or new drivers from being applied dynamically, increasing exposure to other threats. Furthermore, system hangs during module insertion can disrupt critical services, impacting availability and operational continuity. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact can be significant in environments requiring high uptime and dynamic kernel module management.
Mitigation Recommendations
1. Apply the official Linux kernel patches that introduce the use_pages_for_kvec_io flag and related fixes to virtio-fs to handle large IO buffers safely. 2. Until patches are applied, avoid inserting large kernel modules from virtio-fs filesystems with caching disabled. 3. Consider enabling caching on virtio-fs mounts if feasible, to reduce the likelihood of triggering this issue. 4. Monitor kernel logs for warnings related to __alloc_pages and kmalloc failures during module insertion. 5. For environments heavily dependent on virtio-fs, test kernel module insertion workflows after patching to ensure stability. 6. Implement robust monitoring and alerting on virtualization hosts to detect hangs or stalls during kernel module operations. 7. Coordinate with virtualization platform vendors to ensure virtio-fs implementations are updated promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-11-19T17:17:25.024Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdef91
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 10:55:11 AM
Last updated: 8/2/2025, 12:26:28 PM
Views: 16
Related Threats
CVE-2025-50610: n/a
HighCVE-2025-50609: n/a
HighCVE-2025-50608: n/a
HighCVE-2025-55194: CWE-248: Uncaught Exception in Part-DB Part-DB-server
MediumCVE-2025-55197: CWE-400: Uncontrolled Resource Consumption in py-pdf pypdf
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.