CVE-2024-56673: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Do not call pmd dtor on vmemmap page table teardown The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page tables are populated using pmd (page middle directory) hugetables. However, the pmd allocation is not using the generic mechanism used by the VMA code (e.g. pmd_alloc()), or the RISC-V specific create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table code allocates a page, and calls vmemmap_set_pmd(). This results in that the pmd ctor is *not* called, nor would it make sense to do so. Now, when tearing down a vmemmap page table pmd, the cleanup code would unconditionally, and incorrectly call the pmd dtor, which results in a crash (best case). This issue was found when running the HMM selftests: | tools/testing/selftests/mm# ./test_hmm.sh smoke | ... # when unloading the test_hmm.ko module | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b | flags: 0x1000000000000000(node=0|zone=1) | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte) | ------------[ cut here ]------------ | kernel BUG at include/linux/mm.h:3080! | Kernel BUG [#1] | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2 | Tainted: [W]=WARN | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024 | epc : remove_pgd_mapping+0xbec/0x1070 | ra : remove_pgd_mapping+0xbec/0x1070 | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940 | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04 | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50 | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008 | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000 | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8 | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000 | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000 | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0 | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00 | t5 : ff60000080244000 t6 : ff20000000a73708 | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003 | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070 | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e | [<ffffffff8032e698>] section_deactivate+0x220/0x452 | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58 | [<ffffffff802f8700>] __remove_pages+0x7e/0xba | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm] | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm] | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6 | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266 | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2 | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597 | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: Fatal exception in interrupt Add a check to avoid calling the pmd dtor, if the calling context is vmemmap_free().
AI Analysis
Technical Summary
CVE-2024-56673 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's memory management subsystem. The issue arises in the handling of the vmemmap page tables used for RV64 with SPARSEMEM_VMEMMAP configurations. Normally, page middle directory (pmd) entries are allocated and deallocated using generic mechanisms that include constructor (ctor) and destructor (dtor) calls to manage lifecycle and consistency. However, in this case, the vmemmap page tables allocate pmd entries directly without invoking the standard pmd constructor. Consequently, when the vmemmap page tables are torn down, the cleanup code erroneously calls the pmd destructor unconditionally. This mismatch leads to a kernel crash or BUG due to improper teardown of page tables, as the destructor assumes initialization that never occurred. The vulnerability was discovered during Heterogeneous Memory Management (HMM) self-tests, which triggered a kernel panic when unloading a test kernel module. The root cause is a missing conditional check to prevent calling the pmd destructor in the vmemmap_free() context. The fix involves adding this check to avoid the invalid destructor call. This flaw can cause system instability or denial of service (DoS) on affected Linux systems running on RISC-V hardware with the specific memory configuration. There is no indication of remote exploitability or privilege escalation, and no known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the primary impact of CVE-2024-56673 is the risk of system crashes and denial of service on Linux systems running on RISC-V architecture with SPARSEMEM_VMEMMAP enabled. While RISC-V adoption in Europe is currently limited compared to x86_64 or ARM, it is growing in embedded systems, research, and specialized computing environments. Organizations using RISC-V based Linux servers, development platforms, or edge devices could experience unexpected kernel panics leading to service interruptions, data loss, or operational downtime. This is particularly critical for industries relying on high availability such as telecommunications, manufacturing automation, and research institutions. Since the vulnerability triggers during module unload or memory management operations, it may be encountered during system updates or dynamic kernel module handling, potentially disrupting maintenance activities. However, the lack of known exploits and the requirement for specific hardware and kernel configurations limit the immediate widespread threat. Nonetheless, organizations should consider this vulnerability in their risk assessments for RISC-V Linux deployments and plan timely patching to maintain system stability.
Mitigation Recommendations
To mitigate CVE-2024-56673, European organizations should: 1) Apply the official Linux kernel patches that add the necessary conditional checks to prevent the pmd destructor from being called during vmemmap page table teardown. Monitor kernel updates from trusted sources and integrate them promptly into RISC-V Linux systems. 2) Conduct thorough testing of kernel updates in staging environments to verify stability, especially if using custom kernel modules or HMM features. 3) Limit the use of dynamic kernel module loading/unloading on affected systems until patches are applied to reduce the risk of triggering the bug. 4) Implement robust monitoring and alerting for kernel panics or memory management errors to detect early signs of this issue. 5) For critical systems, consider deploying fallback mechanisms or redundancy to minimize downtime caused by unexpected crashes. 6) Engage with hardware and software vendors to ensure RISC-V platforms receive timely security updates and support. 7) Document and review system configurations to identify if SPARSEMEM_VMEMMAP and related features are enabled, as these are prerequisites for the vulnerability to manifest.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2024-56673: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Do not call pmd dtor on vmemmap page table teardown The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page tables are populated using pmd (page middle directory) hugetables. However, the pmd allocation is not using the generic mechanism used by the VMA code (e.g. pmd_alloc()), or the RISC-V specific create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table code allocates a page, and calls vmemmap_set_pmd(). This results in that the pmd ctor is *not* called, nor would it make sense to do so. Now, when tearing down a vmemmap page table pmd, the cleanup code would unconditionally, and incorrectly call the pmd dtor, which results in a crash (best case). This issue was found when running the HMM selftests: | tools/testing/selftests/mm# ./test_hmm.sh smoke | ... # when unloading the test_hmm.ko module | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b | flags: 0x1000000000000000(node=0|zone=1) | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000 | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte) | ------------[ cut here ]------------ | kernel BUG at include/linux/mm.h:3080! | Kernel BUG [#1] | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2 | Tainted: [W]=WARN | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024 | epc : remove_pgd_mapping+0xbec/0x1070 | ra : remove_pgd_mapping+0xbec/0x1070 | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940 | gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04 | t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50 | s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008 | a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000 | a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8 | s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000 | s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000 | s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0 | s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00 | t5 : ff60000080244000 t6 : ff20000000a73708 | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003 | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070 | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e | [<ffffffff8032e698>] section_deactivate+0x220/0x452 | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58 | [<ffffffff802f8700>] __remove_pages+0x7e/0xba | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm] | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm] | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6 | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266 | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2 | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597 | ---[ end trace 0000000000000000 ]--- | Kernel panic - not syncing: Fatal exception in interrupt Add a check to avoid calling the pmd dtor, if the calling context is vmemmap_free().
AI-Powered Analysis
Technical Analysis
CVE-2024-56673 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's memory management subsystem. The issue arises in the handling of the vmemmap page tables used for RV64 with SPARSEMEM_VMEMMAP configurations. Normally, page middle directory (pmd) entries are allocated and deallocated using generic mechanisms that include constructor (ctor) and destructor (dtor) calls to manage lifecycle and consistency. However, in this case, the vmemmap page tables allocate pmd entries directly without invoking the standard pmd constructor. Consequently, when the vmemmap page tables are torn down, the cleanup code erroneously calls the pmd destructor unconditionally. This mismatch leads to a kernel crash or BUG due to improper teardown of page tables, as the destructor assumes initialization that never occurred. The vulnerability was discovered during Heterogeneous Memory Management (HMM) self-tests, which triggered a kernel panic when unloading a test kernel module. The root cause is a missing conditional check to prevent calling the pmd destructor in the vmemmap_free() context. The fix involves adding this check to avoid the invalid destructor call. This flaw can cause system instability or denial of service (DoS) on affected Linux systems running on RISC-V hardware with the specific memory configuration. There is no indication of remote exploitability or privilege escalation, and no known exploits are reported in the wild at this time.
Potential Impact
For European organizations, the primary impact of CVE-2024-56673 is the risk of system crashes and denial of service on Linux systems running on RISC-V architecture with SPARSEMEM_VMEMMAP enabled. While RISC-V adoption in Europe is currently limited compared to x86_64 or ARM, it is growing in embedded systems, research, and specialized computing environments. Organizations using RISC-V based Linux servers, development platforms, or edge devices could experience unexpected kernel panics leading to service interruptions, data loss, or operational downtime. This is particularly critical for industries relying on high availability such as telecommunications, manufacturing automation, and research institutions. Since the vulnerability triggers during module unload or memory management operations, it may be encountered during system updates or dynamic kernel module handling, potentially disrupting maintenance activities. However, the lack of known exploits and the requirement for specific hardware and kernel configurations limit the immediate widespread threat. Nonetheless, organizations should consider this vulnerability in their risk assessments for RISC-V Linux deployments and plan timely patching to maintain system stability.
Mitigation Recommendations
To mitigate CVE-2024-56673, European organizations should: 1) Apply the official Linux kernel patches that add the necessary conditional checks to prevent the pmd destructor from being called during vmemmap page table teardown. Monitor kernel updates from trusted sources and integrate them promptly into RISC-V Linux systems. 2) Conduct thorough testing of kernel updates in staging environments to verify stability, especially if using custom kernel modules or HMM features. 3) Limit the use of dynamic kernel module loading/unloading on affected systems until patches are applied to reduce the risk of triggering the bug. 4) Implement robust monitoring and alerting for kernel panics or memory management errors to detect early signs of this issue. 5) For critical systems, consider deploying fallback mechanisms or redundancy to minimize downtime caused by unexpected crashes. 6) Engage with hardware and software vendors to ensure RISC-V platforms receive timely security updates and support. 7) Document and review system configurations to identify if SPARSEMEM_VMEMMAP and related features are enabled, as these are prerequisites for the vulnerability to manifest.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T15:00:39.845Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde4ec
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 6/28/2025, 6:42:28 AM
Last updated: 7/27/2025, 6:29:06 AM
Views: 11
Related Threats
CVE-2025-55164: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in helmetjs content-security-policy-parser
HighCVE-2025-3089: CWE-639 Authorization Bypass Through User-Controlled Key in ServiceNow ServiceNow AI Platform
MediumCVE-2025-54864: CWE-306: Missing Authentication for Critical Function in NixOS hydra
MediumCVE-2025-54800: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NixOS hydra
HighCVE-2025-8452: CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory in Brother Industries, Ltd HL-L8260CDN
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.