VIR Vulnerability Intelligence Relay

CVE-2023-52489

medium
Published 2024-04-30 · Modified 2024-05-29
CVSS v3
CVSS v2
VIR risk
5.5

Description

In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contains the device memory PFN's as well, the compaction triggered will try on the device memory PFN's too though they end up in NOP(because pfn_to_online_page() returns NULL for ZONE_DEVICE memory sections). When from other core, the section mappings are being removed for the ZONE_DEVICE region, that the PFN in question belongs to, on which compaction is currently being operated is resulting into the kernel crash with CONFIG_SPASEMEM_VMEMAP enabled. The crash logs can be seen at [1]. compact_zone() memunmap_pages ------------- --------------- __pageblock_pfn_to_page ...... (a)pfn_valid(): valid_section()//return true (b)__remove_pages()-> sparse_remove_section()-> section_deactivate(): [Free the array ms->usage and set ms->usage = NULL] pfn_section_valid() [Access ms->usage which is NULL] NOTE: From the above it can be said that the race is reduced to between the pfn_valid()/pfn_section_valid() and the section deactivate with SPASEMEM_VMEMAP enabled. The commit b943f045a9af("mm/sparse: fix kernel crash with pfn_section_valid check") tried to address the same problem by clearing the SECTION_HAS_MEM_MAP with the expectation of valid_section() returns false thus ms->usage is not accessed. Fix this issue by the below steps: a) Clear SECTION_HAS_MEM_MAP before freeing the ->usage. b) RCU protected read side critical section will either return NULL when SECTION_HAS_MEM_MAP is cleared or can successfully access ->usage. c) Free the ->usage with kfree_rcu() and set ms->usage = NULL. No attempt will be made to access ->usage after this as the SECTION_HAS_MEM_MAP is cleared thus valid_section() return false. Thanks to David/Pavan for their inputs on this patch. [1] https://lore.kernel.org/linux-mm/994410bb-89aa-d987-1f50-f514903c55aa@quicinc.com/ On Snapdragon SoC, with the mentioned memory configuration of PFN's as [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL], we are able to see bunch of issues daily while testing on a device farm. For this particular issue below is the log. Though the below log is not directly pointing to the pfn_section_valid(){ ms->usage;}, when we loaded this dump on T32 lauterbach tool, it is pointing. [ 540.578056] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 540.578068] Mem abort info: [ 540.578070] ESR = 0x0000000096000005 [ 540.578073] EC = 0x25: DABT (current EL), IL = 32 bits [ 540.578077] SET = 0, FnV = 0 [ 540.578080] EA = 0, S1PTW = 0 [ 540.578082] FSC = 0x05: level 1 translation fault [ 540.578085] Data abort info: [ 540.578086] ISV = 0, ISS = 0x00000005 [ 540.578088] CM = 0, WnR = 0 [ 540.579431] pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBSBTYPE=--) [ 540.579436] pc : __pageblock_pfn_to_page+0x6c/0x14c [ 540.579454] lr : compact_zone+0x994/0x1058 [ 540.579460] sp : ffffffc03579b510 [ 540.579463] x29: ffffffc03579b510 x28: 0000000000235800 x27:000000000000000c [ 540.579470] x26: 0000000000235c00 x25: 0000000000000068 x24:ffffffc03579b640 [ 540.579477] x23: 0000000000000001 x22: ffffffc03579b660 x21:0000000000000000 [ 540.579483] x20: 0000000000235bff x19: ffffffdebf7e3940 x18:ffffffdebf66d140 [ 540.579489] x17: 00000000739ba063 x16: 00000000739ba063 x15:00000000009f4bff [ 540.579495] x14: 0000008000000000 x13: 0000000000000000 x12:0000000000000001 [ 540.579501] x11: 0000000000000000 x10: 0000000000000000 x9 :ffffff897d2cd440 [ 540.579507] x8 : 0000000000000000 x7 : 0000000000000000 x6 :ffffffc03579b5b4 [ 540.579512] x5 : 0000000000027f25 x4 : ffffffc03579b5b8 x3 :0000000000000 ---truncated---

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2024-2394.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2270118

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2270080

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267795

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267788

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267758

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267041

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265646

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265645

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265520

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265519

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265518

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265517

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2262127

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2262126

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2260005

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2258518

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2258013

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2255498

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2253034

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2252731

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2246980

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2239848

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2210024

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2188102

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2185519

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2133452

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2049700

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/1918601

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-2950.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:2950

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2024-3138.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2272811

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2270883

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2270836

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2269217

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2269189

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267761

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267760

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267750

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2267695

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265653

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2265285

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2257979

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2257682

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2256822

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2256490

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2255283

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2254982

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2254961

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2253632

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2250043

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2244720

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2239847

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2239845

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2235306

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2231410

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2230042

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2226788

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2226787

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2226784

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2226777

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2221702

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2221463

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2221039

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2219359

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2218332

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2213132

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2179892

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2177759

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2151959

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2150953

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2044578

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2043520

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2039178

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/1999589

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/1888726

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/1746732

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/1731000

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2024:3138

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-52489

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-52489.html

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2024:2950

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:2394

OS impact
OSVersionStatusFixed in
redhat rhel9fixed
rockylinux rocky8fixed
suse slesaffected
debian debianbookwormfixed6.1.76-1
debian debianbullseyefixed5.10.216-1
debian debianforkyfixed6.6.15-1
debian debiansidfixed6.6.15-1
debian debiantrixiefixed6.6.15-1
almalinux almalinux8fixedkernel-abi-stablelists-4.18.0-553.el8_10.noarch.rpm
almalinux almalinux9fixedkernel-doc-5.14.0-427.13.1.el9_4.noarch.rpm

References

Verify integrity in audit chain (admin only). AS-IS.