{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-42233", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-30T07:40:12.251Z", "datePublished": "2024-08-07T15:14:23.858Z", "dateUpdated": "2024-09-11T17:34:32.513Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-08-07T15:14:23.858Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: replace pte_offset_map() with pte_offset_map_nolock()\n\nThe vmf->ptl in filemap_fault_recheck_pte_none() is still set from\nhandle_pte_fault(). But at the same time, we did a pte_unmap(vmf->pte). \nAfter a pte_unmap(vmf->pte) unmap and rcu_read_unlock(), the page table\nmay be racily changed and vmf->ptl maybe fails to protect the actual page\ntable. Fix this by replacing pte_offset_map() with\npte_offset_map_nolock().\n\nAs David said, the PTL pointer might be stale so if we continue to use\nit infilemap_fault_recheck_pte_none(), it might trigger UAF. Also, if\nthe PTL fails, the issue fixed by commit 58f327f2ce80 (\"filemap: avoid\nunnecessary major faults in filemap_fault()\") might reappear."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/filemap.c"], "versions": [{"version": "58f327f2ce80", "lessThan": "6a6c2aec1a89", "status": "affected", "versionType": "git"}, {"version": "58f327f2ce80", "lessThan": "24be02a42181", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/filemap.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "custom"}, {"version": "6.9.10", "lessThanOrEqual": "6.9.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.10", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/6a6c2aec1a89506595801b4cf7e8eef035f33748"}, {"url": "https://git.kernel.org/stable/c/24be02a42181f0707be0498045c4c4b13273b16d"}], "title": "filemap: replace pte_offset_map() with pte_offset_map_nolock()", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42233", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:14:13.816205Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:32.513Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42233", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:14:13.816205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:24.316Z"}}], "cna": {"title": "filemap: replace pte_offset_map() with pte_offset_map_nolock()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "58f327f2ce80", "lessThan": "6a6c2aec1a89", "versionType": "git"}, {"status": "affected", "version": "58f327f2ce80", "lessThan": "24be02a42181", "versionType": "git"}], "programFiles": ["mm/filemap.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.9"}, {"status": "unaffected", "version": "0", "lessThan": "6.9", "versionType": "custom"}, {"status": "unaffected", "version": "6.9.10", "versionType": "custom", "lessThanOrEqual": "6.9.*"}, {"status": "unaffected", "version": "6.10", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["mm/filemap.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6a6c2aec1a89506595801b4cf7e8eef035f33748"}, {"url": "https://git.kernel.org/stable/c/24be02a42181f0707be0498045c4c4b13273b16d"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: replace pte_offset_map() with pte_offset_map_nolock()\n\nThe vmf->ptl in filemap_fault_recheck_pte_none() is still set from\nhandle_pte_fault(). But at the same time, we did a pte_unmap(vmf->pte). \nAfter a pte_unmap(vmf->pte) unmap and rcu_read_unlock(), the page table\nmay be racily changed and vmf->ptl maybe fails to protect the actual page\ntable. Fix this by replacing pte_offset_map() with\npte_offset_map_nolock().\n\nAs David said, the PTL pointer might be stale so if we continue to use\nit infilemap_fault_recheck_pte_none(), it might trigger UAF. Also, if\nthe PTL fails, the issue fixed by commit 58f327f2ce80 (\"filemap: avoid\nunnecessary major faults in filemap_fault()\") might reappear."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-08-07T15:14:23.858Z"}}}, "cveMetadata": {"cveId": "CVE-2024-42233", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:32.513Z", "dateReserved": "2024-07-30T07:40:12.251Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-07T15:14:23.858Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F5C3789-472B-40EC-9D2A-48169EDB592B", "versionEndExcluding": "6.9.10", "versionStartIncluding": "6.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: replace pte_offset_map() with pte_offset_map_nolock()\n\nThe vmf->ptl in filemap_fault_recheck_pte_none() is still set from\nhandle_pte_fault(). But at the same time, we did a pte_unmap(vmf->pte). \nAfter a pte_unmap(vmf->pte) unmap and rcu_read_unlock(), the page table\nmay be racily changed and vmf->ptl maybe fails to protect the actual page\ntable. Fix this by replacing pte_offset_map() with\npte_offset_map_nolock().\n\nAs David said, the PTL pointer might be stale so if we continue to use\nit infilemap_fault_recheck_pte_none(), it might trigger UAF. Also, if\nthe PTL fails, the issue fixed by commit 58f327f2ce80 (\"filemap: avoid\nunnecessary major faults in filemap_fault()\") might reappear."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: filemap: reemplace pte_offset_map() con pte_offset_map_nolock() El vmf->ptl en filemap_fault_recheck_pte_none() todav\u00eda est\u00e1 configurado desde handle_pte_fault(). Pero al mismo tiempo, hicimos un pte_unmap(vmf->pte). Despu\u00e9s de desasignar pte_unmap(vmf->pte) y rcu_read_unlock(), la tabla de p\u00e1ginas puede cambiarse r\u00e1pidamente y vmf->ptl tal vez no pueda proteger la tabla de p\u00e1ginas real. Solucione este problema reemplazando pte_offset_map() con pte_offset_map_nolock(). Como dijo David, el puntero PTL puede estar obsoleto, por lo que si continuamos us\u00e1ndolo en filemap_fault_recheck_pte_none(), podr\u00eda activar UAF. Adem\u00e1s, si el PTL falla, el problema solucionado mediante el commit 58f327f2ce80 (\"filemap: evite errores importantes innecesarios en filemap_fault()\") podr\u00eda reaparecer."}], "id": "CVE-2024-42233", "lastModified": "2024-08-08T14:56:18.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-07T16:15:46.313", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/24be02a42181f0707be0498045c4c4b13273b16d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6a6c2aec1a89506595801b4cf7e8eef035f33748"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: filemap: replace pte_offset_map() with pte_offset_map_nolock()", "id": "2303501", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2303501"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-99", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nfilemap: replace pte_offset_map() with pte_offset_map_nolock()\nThe vmf->ptl in filemap_fault_recheck_pte_none() is still set from\nhandle_pte_fault(). But at the same time, we did a pte_unmap(vmf->pte). \nAfter a pte_unmap(vmf->pte) unmap and rcu_read_unlock(), the page table\nmay be racily changed and vmf->ptl maybe fails to protect the actual page\ntable. Fix this by replacing pte_offset_map() with\npte_offset_map_nolock().\nAs David said, the PTL pointer might be stale so if we continue to use\nit infilemap_fault_recheck_pte_none(), it might trigger UAF. Also, if\nthe PTL fails, the issue fixed by commit 58f327f2ce80 (\"filemap: avoid\nunnecessary major faults in filemap_fault()\") might reappear.", "In the Linux kernel, a vulnerability was fixed by replacing `pte_offset_map()` with `pte_offset_map_nolock()` in the `filemap_fault_recheck_pte_none()` function. The original use of `pte_offset_map()` relied on a potentially stale page table lock (PTL), which could lead to a use-after-free (UAF) condition if the page table was modified after a `pte_unmap()` operation. The replacement function, `pte_offset_map_nolock()`, avoids this risk by not depending on the PTL, thus ensuring safer access to the page table and preventing potential security issues."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-42233", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-07T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-42233\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42233\nhttps://lore.kernel.org/linux-cve-announce/2024080739-CVE-2024-42233-7fc5@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate"}