{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T15:24:01.842","vulnerabilities":[{"cve":{"id":"CVE-2024-53096","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-11-25T22:15:15.287","lastModified":"2025-11-03T23:17:19.467","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: resolve faulty mmap_region() error path behaviour\n\nThe mmap_region() function is somewhat terrifying, with spaghetti-like\ncontrol flow and numerous means by which issues can arise and incomplete\nstate, memory leaks and other unpleasantness can occur.\n\nA large amount of the complexity arises from trying to handle errors late\nin the process of mapping a VMA, which forms the basis of recently\nobserved issues with resource leaks and observable inconsistent state.\n\nTaking advantage of previous patches in this series we move a number of\nchecks earlier in the code, simplifying things by moving the core of the\nlogic into a static internal function __mmap_region().\n\nDoing this allows us to perform a number of checks up front before we do\nany real work, and allows us to unwind the writable unmap check\nunconditionally as required and to perform a CONFIG_DEBUG_VM_MAPLE_TREE\nvalidation unconditionally also.\n\nWe move a number of things here:\n\n1. We preallocate memory for the iterator before we call the file-backed\n   memory hook, allowing us to exit early and avoid having to perform\n   complicated and error-prone close/free logic. We carefully free\n   iterator state on both success and error paths.\n\n2. The enclosing mmap_region() function handles the mapping_map_writable()\n   logic early. Previously the logic had the mapping_map_writable() at the\n   point of mapping a newly allocated file-backed VMA, and a matching\n   mapping_unmap_writable() on success and error paths.\n\n   We now do this unconditionally if this is a file-backed, shared writable\n   mapping. If a driver changes the flags to eliminate VM_MAYWRITE, however\n   doing so does not invalidate the seal check we just performed, and we in\n   any case always decrement the counter in the wrapper.\n\n   We perform a debug assert to ensure a driver does not attempt to do the\n   opposite.\n\n3. We also move arch_validate_flags() up into the mmap_region()\n   function. This is only relevant on arm64 and sparc64, and the check is\n   only meaningful for SPARC with ADI enabled. We explicitly add a warning\n   for this arch if a driver invalidates this check, though the code ought\n   eventually to be fixed to eliminate the need for this.\n\nWith all of these measures in place, we no longer need to explicitly close\nthe VMA on error paths, as we place all checks which might fail prior to a\ncall to any driver mmap hook.\n\nThis eliminates an entire class of errors, makes the code easier to reason\nabout and more robust."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: resolver el comportamiento defectuoso de la ruta de error mmap_region() La función mmap_region() es algo aterradora, con un flujo de control tipo espagueti y numerosos medios por los cuales pueden surgir problemas y pueden ocurrir estados incompletos, fugas de memoria y otras cosas desagradables. Una gran parte de la complejidad surge de intentar manejar errores tarde en el proceso de mapeo de un VMA, que forma la base de los problemas observados recientemente con fugas de recursos y estado inconsistente observable. Aprovechando los parches anteriores de esta serie, movemos una serie de verificaciones antes en el código, simplificando las cosas al mover el núcleo de la lógica a una función interna estática __mmap_region(). Hacer esto nos permite realizar una serie de verificaciones por adelantado antes de hacer cualquier trabajo real, y nos permite desenrollar la verificación de desasignación escribible incondicionalmente según sea necesario y realizar una validación CONFIG_DEBUG_VM_MAPLE_TREE incondicionalmente también. Aquí movemos una serie de cosas: 1. Preasignamos memoria para el iterador antes de llamar al gancho de memoria respaldado por archivo, lo que nos permite salir antes y evitar tener que realizar una lógica de cierre/liberación complicada y propensa a errores. Liberamos cuidadosamente el estado del iterador tanto en las rutas de éxito como de error. 2. La función mmap_region() que lo encierra maneja la lógica mapping_map_writable() de forma temprana. Anteriormente, la lógica tenía mapping_map_writable() en el punto de mapeo de un VMA respaldado por archivo recientemente asignado y un mapping_unmap_writable() coincidente en las rutas de éxito y error. Ahora hacemos esto incondicionalmente si se trata de un mapeo compartido escribible respaldado por archivo. Sin embargo, si un controlador cambia los indicadores para eliminar VM_MAYWRITE, al hacerlo no invalida la verificación de sello que acabamos de realizar y, en cualquier caso, siempre decrementamos el contador en el contenedor. Realizamos una aserción de depuración para asegurarnos de que un controlador no intente hacer lo contrario. 3. También trasladamos arch_validate_flags() a la función mmap_region(). Esto solo es relevante en arm64 y sparc64, y la comprobación solo es significativa para SPARC con ADI habilitado. Agregamos explícitamente una advertencia para esta arquitectura si un controlador invalida esta comprobación, aunque el código debería corregirse eventualmente para eliminar la necesidad de esto. Con todas estas medidas implementadas, ya no necesitamos cerrar explícitamente el VMA en las rutas de error, ya que colocamos todas las comprobaciones que podrían fallar antes de una llamada a cualquier gancho mmap del controlador. Esto elimina una clase completa de errores, hace que el código sea más fácil de razonar y más robusto."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.150","versionEndExcluding":"5.10.231","matchCriteriaId":"5E49B9C7-7B50-4126-8CBA-66256295EB63"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.75","versionEndExcluding":"5.15.174","matchCriteriaId":"B8A791EF-FA57-4BA6-B758-F85DB2C9C332"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.3","versionEndExcluding":"6.1.119","matchCriteriaId":"5D6C7A20-9E1E-4463-9822-61E01EE9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.63","matchCriteriaId":"8800BB45-48BC-4B52-BDA5-B1E4633F42E5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12","matchCriteriaId":"D251AFC3-8DFD-4F80-861D-362FF9D2EA73"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19.17:*:*:*:*:*:*:*","matchCriteriaId":"B02CA4B2-2E84-45BE-A5D3-122D9820527C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*","matchCriteriaId":"7F361E1D-580F-4A2D-A509-7615F73167A1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"3C95E234-D335-4B6C-96BF-E2CEBD8654ED"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"E0F717D8-3014-4F84-8086-0124B2111379"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"24DBE6C7-2AAE-4818-AED2-E131F153D2FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*","matchCriteriaId":"24B88717-53F5-42AA-9B72-14C707639E3F"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/43323a4e5b3f8ccc08e2f835abfdc7ee9da8f6ed","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/44f48eb9a6051826227bbd375446064fb2a43c6c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/52c81fd0f5a8bf8032687b94ccf00d13b44cc5c8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/5de195060b2e251a835f622759550e6202167641","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/bdc136e2b05fabcd780fe5f165d154eb779dfcb0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://project-zero.issues.chromium.org/issues/374117290","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Exploit","Issue Tracking","Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}