Bug 1224635 (CVE-2024-35797) - VUL-0: CVE-2024-35797: kernel: mm: cachestat: fix two shmem bugs
Summary: VUL-0: CVE-2024-35797: kernel: mm: cachestat: fix two shmem bugs
Status: RESOLVED FIXED
Alias: CVE-2024-35797
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/406406/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-35797:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-20 15:33 UTC by SMASH SMASH
Modified: 2024-06-05 13:06 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-20 15:33:06 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm: cachestat: fix two shmem bugs

When cachestat on shmem races with swapping and invalidation, there
are two possible bugs:

1) A swapin error can have resulted in a poisoned swap entry in the
   shmem inode's xarray. Calling get_shadow_from_swap_cache() on it
   will result in an out-of-bounds access to swapper_spaces[].

   Validate the entry with non_swap_entry() before going further.

2) When we find a valid swap entry in the shmem's inode, the shadow
   entry in the swapcache might not exist yet: swap IO is still in
   progress and we're before __remove_mapping; swapin, invalidation,
   or swapoff have removed the shadow from swapcache after we saw the
   shmem swap entry.

   This will send a NULL to workingset_test_recent(). The latter
   purely operates on pointer bits, so it won't crash - node 0, memcg
   ID 0, eviction timestamp 0, etc. are all valid inputs - but it's a
   bogus test. In theory that could result in a false "recently
   evicted" count.

   Such a false positive wouldn't be the end of the world. But for
   code clarity and (future) robustness, be explicit about this case.

   Bail on get_shadow_from_swap_cache() returning NULL.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35797
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-35797.mbox
https://git.kernel.org/stable/c/b79f9e1ff27c994a4c452235ba09e672ec698e23
https://git.kernel.org/stable/c/d962f6c583458037dc7e529659b2b02b9dd3d94b
https://git.kernel.org/stable/c/24a0e73d544439bb9329fbbafac44299e548a677
https://git.kernel.org/stable/c/d5d39c707a4cf0bcc84680178677b97aa2cb2627
https://www.cve.org/CVERecord?id=CVE-2024-35797
https://bugzilla.redhat.com/show_bug.cgi?id=2281151
Comment 1 Joey Lee 2024-05-21 08:36:35 UTC 
https://www.suse.com/security/cve/CVE-2024-35797.html
cvss 5.5
Comment 3 Joey Lee 2024-05-24 07:28:12 UTC 
Nothing to be done
Comment 4 Andrea Mattiazzo 2024-06-05 13:06:15 UTC 
All done, closing.