CVE-2024-57945

HIGH EPSS 11.0%
Published Jan 21, 20251y ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Jan 21, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Fix the out of bound issue of vmemmap address In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). And the struct page's va can be calculated with an offset: (vmemmap + (pfn)). However, when initializing struct pages, kernel actually starts from the first page from the same section that phys_ram_base belongs to. If the first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then we get an va below VMEMMAP_START when calculating va for it's struct page. For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During init_unavailable_range(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is below VMEMMAP_START as well as PCI_IO_END. This commit fixes this bug by introducing a new variable 'vmemmap_start_pfn' which is aligned with memory section size and using it to calculate vmemmap address instead of phys_ram_base.

CVSS Details

Base Score
7.1
Exploitability
1.8
Impact
5.2
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
11.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 14

VendorProductVersionRange
linuxlinux_kernel*≥5.10.212  –  <5.11
linuxlinux_kernel*≥5.15.151  –  <5.16
linuxlinux_kernel*≥6.1.81  –  <6.1.140
linuxlinux_kernel*≥6.6.21  –  <6.6.72
linuxlinux_kernel*≥6.7.9  –  <6.8
linuxlinux_kernel*≥6.8.1  –  <6.12.10
linuxlinux_kernel6.8any
linuxlinux_kernel6.8any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/04350304428063da6a55a8a4597d409dc69148b2
  • git.kernel.org https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b
    Patch