CVE-2024-26960 Information

Description

In the Linux kernel the following vulnerability has been resolved:

mm: swap: fix race between free_swap_and_cache() and swapoff()

There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause amongst other bad possibilities swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map.

This is a theoretical problem and I haven’t been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below).

Fix it by using get_swap_device()/put_swap_device() which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn’t present in get_swap_device() because it doesn’t make sense in general due to the race between getting the reference and swapoff. So I’ve added an equivalent check directly in free_swap_and_cache().

Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this):

–8<—–

__swap_entry_free() might be the last user and result in

Reference

https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39 https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e