{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T23:59:22.277","vulnerabilities":[{"cve":{"id":"CVE-2023-52489","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-03-11T18:15:16.673","lastModified":"2025-02-14T16:41:06.000","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/sparsemem: fix race in accessing memory_section->usage\n\nThe below race is observed on a PFN which falls into the device memory\nregion with the system memory configuration where PFN's are such that\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL].  Since normal zone start and end\npfn contains the device memory PFN's as well, the compaction triggered\nwill try on the device memory PFN's too though they end up in NOP(because\npfn_to_online_page() returns NULL for ZONE_DEVICE memory sections).  When\nfrom other core, the section mappings are being removed for the\nZONE_DEVICE region, that the PFN in question belongs to, on which\ncompaction is currently being operated is resulting into the kernel crash\nwith CONFIG_SPASEMEM_VMEMAP enabled.  The crash logs can be seen at [1].\n\ncompact_zone()\t\t\tmemunmap_pages\n-------------\t\t\t---------------\n__pageblock_pfn_to_page\n   ......\n (a)pfn_valid():\n     valid_section()//return true\n\t\t\t      (b)__remove_pages()->\n\t\t\t\t  sparse_remove_section()->\n\t\t\t\t    section_deactivate():\n\t\t\t\t    [Free the array ms->usage and set\n\t\t\t\t     ms->usage = NULL]\n     pfn_section_valid()\n     [Access ms->usage which\n     is NULL]\n\nNOTE: From the above it can be said that the race is reduced to between\nthe pfn_valid()/pfn_section_valid() and the section deactivate with\nSPASEMEM_VMEMAP enabled.\n\nThe commit b943f045a9af(\"mm/sparse: fix kernel crash with\npfn_section_valid check\") tried to address the same problem by clearing\nthe SECTION_HAS_MEM_MAP with the expectation of valid_section() returns\nfalse thus ms->usage is not accessed.\n\nFix this issue by the below steps:\n\na) Clear SECTION_HAS_MEM_MAP before freeing the ->usage.\n\nb) RCU protected read side critical section will either return NULL\n   when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage.\n\nc) Free the ->usage with kfree_rcu() and set ms->usage = NULL.  No\n   attempt will be made to access ->usage after this as the\n   SECTION_HAS_MEM_MAP is cleared thus valid_section() return false.\n\nThanks to David/Pavan for their inputs on this patch.\n\n[1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/\n\nOn Snapdragon SoC, with the mentioned memory configuration of PFN's as\n[ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of\nissues daily while testing on a device farm.\n\nFor this particular issue below is the log.  Though the below log is\nnot directly pointing to the pfn_section_valid(){ ms->usage;}, when we\nloaded this dump on T32 lauterbach tool, it is pointing.\n\n[  540.578056] Unable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\n[  540.578068] Mem abort info:\n[  540.578070]   ESR = 0x0000000096000005\n[  540.578073]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  540.578077]   SET = 0, FnV = 0\n[  540.578080]   EA = 0, S1PTW = 0\n[  540.578082]   FSC = 0x05: level 1 translation fault\n[  540.578085] Data abort info:\n[  540.578086]   ISV = 0, ISS = 0x00000005\n[  540.578088]   CM = 0, WnR = 0\n[  540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--)\n[  540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c\n[  540.579454] lr : compact_zone+0x994/0x1058\n[  540.579460] sp : ffffffc03579b510\n[  540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c\n[  540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640\n[  540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000\n[  540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140\n[  540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff\n[  540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001\n[  540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440\n[  540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4\n[  540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000\n---truncated---"},{"lang":"es","value":"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mm/sparsemem: corrige la carrera al acceder a la sección_memoria->uso La siguiente carrera se observa en un PFN que cae en la región de memoria del dispositivo con la configuración de memoria del sistema donde los PFN son tales que [ ZONA_NORMAL ZONA_DISPOSITIVO ZONA_NORMAL]. Dado que el pfn de inicio y fin de zona normal también contiene los PFN de la memoria del dispositivo, la compactación activada probará también los PFN de la memoria del dispositivo aunque terminen en NOP (porque pfn_to_online_page() devuelve NULL para las secciones de memoria ZONE_DEVICE). Cuando desde otro núcleo, las asignaciones de sección se eliminan para la región ZONE_DEVICE, a la que pertenece el PFN en cuestión, en la que se está operando la compactación actualmente, se produce el bloqueo del kernel con CONFIG_SPASEMEM_VMEMAP habilitado. Los registros de fallos se pueden ver en [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()/ /return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Libere la matriz ms->usage y establezca ms->usage = NULL] pfn_section_valid() [Acceda a ms->usage que es NULL] NOTA: De lo anterior se puede decir que la carrera se reduce a entre pfn_valid()/pfn_section_valid() y la sección desactivada con SPASEMEM_VMEMAP habilitado. La confirmación b943f045a9af(\"mm/sparse: fix kernel crash with pfn_section_valid check\") intentó solucionar el mismo problema borrando SECTION_HAS_MEM_MAP con la expectativa de que valid_section() devuelva false, por lo que no se accede a ms->usage. Solucione este problema siguiendo los pasos a continuación: a) Borre SECTION_HAS_MEM_MAP antes de liberar el ->uso. b) La sección crítica del lado de lectura protegida por RCU devolverá NULL cuando se borre SECTION_HAS_MEM_MAP o podrá acceder con éxito a ->uso. c) Libere ->usage con kfree_rcu() y establezca ms->usage = NULL. No se intentará acceder a ->uso después de esto, ya que SECTION_HAS_MEM_MAP se borra, por lo que valid_section() devuelve falso. Gracias a David/Pavan por sus aportes en este parche. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ En Snapdragon SoC, con la configuración de memoria mencionada de PFN como [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], pueden ver una gran cantidad de problemas diariamente mientras realizan pruebas en una granja de dispositivos. Para este problema en particular, a continuación se encuentra el registro. Aunque el siguiente registro no apunta directamente a pfn_section_valid(){ ms->usage;}, cuando cargamos este volcado en la herramienta Lauterbach T32, sí apunta. [ 540.578056] No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000000 [ 540.578068] Información de cancelación de memoria: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT ( EL actual), IL = 32 bits [ 540.578077] SET = 0 , FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: error de traducción de nivel 1 [ 540.578085] Información de cancelación de datos: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088 ] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x10 58 [540.579460] sp: ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:00000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:00000000000000000 [ 540.579483] x20: 0 000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 00000000000000 00 x12:0000000000000001 [ 540.579501]---truncado---"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-362"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.10.210","matchCriteriaId":"5DEE8F5B-E814-4226-B0B3-D1DCB8FA5E14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.149","matchCriteriaId":"0D0465BB-4053-4E15-9137-6696EBAE90FD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.76","matchCriteriaId":"32F0FEB3-5FE1-4400-A56D-886F09BE872E"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.15","matchCriteriaId":"87C718CB-AE3D-4B07-B4D9-BFF64183C468"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.7.3","matchCriteriaId":"58FD5308-148A-40D3-B36A-0CA6B434A8BF"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/3a01daace71b521563c38bbbf874e14c3e58adb7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/5ec8e8ea8b7783fab150cf86404fc38cb4db8800","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/68ed9e33324021e9d6b798e9db00ca3093d2012a","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/70064241f2229f7ba7b9599a98f68d9142e81a97","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/90ad17575d26874287271127d43ef3c2af876cea","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Patch"]},{"url":"https://git.kernel.org/stable/c/b448de2459b6d62a53892487ab18b7d823ff0529","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Mailing List","Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}}]}