Ryan Roberts

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue arises when a memory region previously registered with userfaultfd as write-protected but without UFFD FEATURE EVENT REMAP is mremap()ed, leading to an inconsistency in flag clearing. This inconsistency causes a mismatch between the vma flags and the pte/pmd flags, resulting in a warning when setting the pte to writable while uffd-wp is still set. The fix involves explicitly clearing the uffd-wp pte/pmd flags on any such mremap() to ensure consistent values with the existing clearing of VM UFFD WP. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a race condition between the `free swap and cache()` function and the `swapoff()` function in the Linux kernel's memory management subsystem. This could potentially allow an attacker to cause a denial of service by accessing freed memory. The problem is theoretical and has not been proven with a test case, but it has been agreed upon through code review that it is possible. The fix involves using `get swap device()` and `put swap device()` to stall `swapoff()`. Technical details about exploitation include: - **Function Names:** `free swap and cache()`, `swapoff()`, `swap page trans huge swapped()`, ` try to reclaim swap()`, `folio free swap()`, `delete from swap cache()`, `put swap folio()`, `free swap slot()`, `swapcache free entries()`, `swap entry free()`, and `swap range free()`. - **Variables:** `si->inuse pages`, `count`, `nr entries`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.