CVE-2023-52489: mm/sparsemem: fix race in accessing memory_section->usage
In the Linux kernel, the following vulnerability has been resolved:
mm/sparsemem: fix race in accessing memorysection->usage
The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONENORMAL ZONEDEVICE ZONENORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfntoonlinepage() returns NULL for ZONEDEVICE memory sections). When from other core, the section mappings are being removed for the ZONEDEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIGSPASEMEMVMEMAP enabled. The crash logs can be seen at [1].
compactzone() memunmappages ------------- --------------- pageblockpfntopage ...... (a)pfnvalid(): validsection()//return true (b)removepages()-> sparseremovesection()-> sectiondeactivate(): [Free the array ms->usage and set ms->usage = NULL] pfnsectionvalid() [Access ms->usage which is NULL]
NOTE: From the above it can be said that the race is reduced to between the pfnvalid()/pfnsectionvalid() and the section deactivate with SPASEMEMVMEMAP enabled.
The commit b943f045a9af("mm/sparse: fix kernel crash with pfnsectionvalid check") tried to address the same problem by clearing the SECTIONHASMEMMAP with the expectation of validsection() returns false thus ms->usage is not accessed.
Fix this issue by the below steps:
a) Clear SECTIONHASMEMMAP before freeing the ->usage.
b) RCU protected read side critical section will either return NULL when SECTIONHASMEMMAP is cleared or can successfully access ->usage.
c) Free the ->usage with kfreercu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTIONHASMEMMAP is cleared thus validsection() return false.
Thanks to David/Pavan for their inputs on this patch.
[1]
Other sources
In the Linux kernel, the following vulnerability has been resolved:
mm/sparsemem: fix race in accessing memorysection->usage
The Linux kernel CVE team has assigned CVE-2023-52489 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/20240229155245.1571576-30-lee@kernel.org/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-52489?
CVE-2023-52489 is classified as a moderate severity vulnerability in the Linux kernel.
How does CVE-2023-52489 affect the Linux kernel?
CVE-2023-52489 introduces a race condition in accessing the memory_section structure, which could lead to undefined behavior.
How do I fix CVE-2023-52489?
To fix CVE-2023-52489, upgrade your Linux kernel to a version that is beyond the specified vulnerabilities, such as 5.10.210, 5.15.149, or higher.
Which Linux kernel versions are affected by CVE-2023-52489?
CVE-2023-52489 affects Linux kernel versions up to 5.10.209, 5.15.148, and lower versions, as well as some earlier versions in the 6.x series.
Is there a workaround for CVE-2023-52489?
Currently, there is no specific workaround for CVE-2023-52489; the best mitigation is to apply the kernel updates from your distribution.