Hugh Dickins

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue was in the mm module, specifically regarding shmem, and was causing deadlocks when accessing tmpfs over NFS. The change was meant to fix a data-race in shmem getattr(), but it was reverted as suggested by Chuck. As Hugh commented, the change was added just to silence a syzbot sanitizer splat, and it was added where there has never been any practical problem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.7 Description: The issue is related to a vulnerability in the `folio migrate mapping()` function in the Linux kernel's memory management subsystem. This vulnerability is associated with double-free errors caused by deferred split and large folio migration. The problem arises when `deferred split scan()` moves folios to its local list without proper locking, allowing for a race condition that can lead to crashes or other symptoms implying double-free errors. The vulnerability can be exploited to cause a denial of service. Recommendations: To resolve the issue, update the Linux kernel to version 6.7 or later, which includes the fix for the vulnerability. Specifically, the commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") addresses the memcg-dependent locking issue, and additional fixes ensure that `folio migrate mapping()` can avoid the race condition by using `folio undo large rmappable()` while the old folio's reference count is temporarily frozen.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises when userspace issues a UFFD ioctl, which calls into `shmem mfill atomic pte()`. If the `copy from user()` fails after successfully accounting blocks and allocating a page with `shmem alloc page()`, the error code `-ENOENT` is returned without releasing the allocated page. This can lead to a situation where another process fills up the tmpfs, causing `shmem mfill atomic pte()` to fail when retried, resulting in a `BUG ON` assertion failure because the page is not consumed. The fix involves detecting and releasing any "dangling" pages when accounting fails. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 2.6.11 through 2.6.23 **Description** The issue is related to the `shmem getpage` function in the Linux kernel, which does not properly clear allocated memory in certain rare circumstances involving tmpfs. This could potentially allow local users to read sensitive kernel data or cause a denial of service, resulting in a system crash. **Recommendations** For Linux kernel versions 2.6.11 through 2.6.23, update to a version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Debian GNU/Linux kernel-patch-openvz (affected versions not specified) Linux kernel versions prior to 2.6.19-rc4 Description: The issue concerns multiple vulnerabilities in the kernel-patch-openvz package of Debian GNU/Linux and the Linux kernel, which can be exploited by a local attacker to compromise the confidentiality, integrity, and availability of protected information. The Linux kernel vulnerabilities are related to the `hugetlb vmtruncate list` and `hugetlb vmtruncate` functions in `fs/hugetlbfs/inode.c`, where certain calculations are performed using `HPAGE SIZE` instead of `PAGE SIZE` units, allowing local users to cause a denial of service via unspecified vectors. Recommendations: For Debian GNU/Linux kernel-patch-openvz, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Linux kernel versions prior to 2.6.19-rc4, update to version 2.6.19-rc4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `hugetlb vmtruncate list` and `hugetlb vmtruncate` functions to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions 2.6.16 up to 2.6.16.6 Description: The issue allows local users to bypass IPC permissions and modify readonly tmpfs files by utilizing the madvise remove functionality in the Linux kernel, which does not properly follow file and mmap restrictions. Recommendations: For Linux kernel versions 2.6.16 up to 2.6.16.6, update to a version that includes the fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 2.6 **Description** The issue is related to the shmem nopage function in the tmpfs driver, which does not properly verify the address argument. This allows local users to cause a denial of service, resulting in a kernel crash, by providing an invalid address. **Recommendations** For Linux kernel version 2.6, consider applying a patch that properly verifies the address argument in the shmem nopage function to prevent a denial of service.