CVE-2024-50022

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: The issue is related to the device-dax feature in the Linux kernel, where the pgoff should be aligned using ALIGN DOWN() instead of ALIGN(). This can cause memory failure to get the wrong address, leading to endless MCE (memory-failure) until panic. The problem is subtle and can only be observed in specific error injection scenarios. It took several weeks to identify the issue using bpftrace to trace the page fault and MCE address.

Recommendations: To resolve the issue, update to Linux kernel version 6.6.58 or later. As a temporary workaround, consider avoiding the use of unpinned device-dax regions unaligned to the device-dax selected alignment. Restrict access to the dax set mapping() function until a patch is available. Avoid using the page mapped in vma() function in dev-dax's page unless in specific error injection scenarios to minimize the risk of exploitation.