Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2024-56613

Disclosure Date: December 27, 2024
CVE-2024-56613 CVSS v3 Base Score: 5.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

sched/numa: fix memory leak due to the overwritten vma->numab_state

[Problem Description]
When running the hackbench program of LTP, the following memory leak is
reported by kmemleak.

# /opt/ltp/testcases/bin/hackbench 20 thread 1000
Running with 20*40 (== 800) tasks.

# dmesg | grep kmemleak

kmemleak: 480 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
kmemleak: 665 new suspected memory leaks (see /sys/kernel/debug/kmemleak)

# cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff888cd8ca2c40 (size 64):

comm "hackbench", pid 17142, jiffies 4299780315
hex dump (first 32 bytes):
  ac 74 49 00 01 00 00 00 4c 84 49 00 01 00 00 00  .tI.....L.I.....
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
backtrace (crc bff18fd4):
  [<ffffffff81419a89>] __kmalloc_cache_noprof+0x2f9/0x3f0
  [<ffffffff8113f715>] task_numa_work+0x725/0xa00
  [<ffffffff8110f878>] task_work_run+0x58/0x90
  [<ffffffff81ddd9f8>] syscall_exit_to_user_mode+0x1c8/0x1e0
  [<ffffffff81dd78d5>] do_syscall_64+0x85/0x150
  [<ffffffff81e0012b>] entry_SYSCALL_64_after_hwframe+0x76/0x7e

This issue can be consistently reproduced on three different servers:

  • a 448-core server
  • a 256-core server
  • a 192-core server

[Root Cause]
Since multiple threads are created by the hackbench program (along with
the command argument ‘thread’), a shared vma might be accessed by two or
more cores simultaneously. When two or more cores observe that
vma->numab_state is NULL at the same time, vma->numab_state will be
overwritten.

Although current code ensures that only one thread scans the VMAs in a
single ‘numa_scan_period’, there might be a chance for another thread
to enter in the next ‘numa_scan_period’ while we have not gotten till
numab_state allocation [1].

Note that the command /opt/ltp/testcases/bin/hackbench 50 process 1000
cannot the reproduce the issue. It is verified with 200+ test runs.

[Solution]
Use the cmpxchg atomic operation to ensure that only one thread executes
the vma->numab_state assignment.

[1] https://lore.kernel.org/lkml/1794be3c-358c-4cdc-a43d-a1f841d91ef7@amd.com/

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux 8f149bcc4d91ac92b32ff4949b291e6ed883dc42
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis