CVE-2024-50066

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description The issue is related to a race condition in the move page tables() function, specifically between move normal pmd() and retract page tables() in the THP code. This can lead to the creation of bogus PMD entries, potentially allowing for user-to-kernel privilege escalation on certain architectures, such as x86. The vulnerability can be exploited by creating shmem/file THP mappings and racing the move normal pmd() and retract page tables() functions.

The move page tables() function looks at the type of the PMD entry and the specified address range to determine how to move the next chunk of page table entries. The mmap lock is held in write mode, but no rmap locks are held yet. For PMD entries that point to page tables and are fully covered by the source address range, move pgt entry(NORMAL PMD, ...) is called, which first takes rmap locks, then does move normal pmd().

The move normal pmd() function takes the necessary page table locks at source and destination, then moves an entire page table from the source to the destination. The problem is that the rmap locks, which protect against concurrent page table removal by retract page tables() in the THP code, are only taken after the PMD entry has been read and it has been decided how to move it.

Recommendations To resolve the issue, upgrade the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider restricting the use of shmem/file THP mappings to minimize the risk of exploitation. Avoid using the mremap() function with move page tables() until the issue is resolved.