CVE-2024-47745 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

mm: call the security_mmap_file() LSM hook in remap_file_pages()

The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux.

So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux.

The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1].

The PoC:

$ cat > test.c

int main(void) {
size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024];
while (1) {
int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); }

$ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)

[PM: subject line tweaks]

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability CVE-2024-47745 represents a significant bypass of kernel-level memory protection mechanisms in the Linux kernel, specifically targeting the W^X (Write XOR Execute) security policy enforcement. This flaw exists within the memory management subsystem where the remap_file_pages system call fails to invoke the security_mmap_file LSM (Linux Security Module) hook before performing memory mapping operations. The issue arises because the remap_file_pages handler directly calls do_mmap() without proper security validation, creating a path for privilege escalation through improper memory permissions. This vulnerability directly impacts SELinux and other LSM implementations that rely on W^X policies to prevent memory pages from being both writable and executable simultaneously, which is a fundamental defense against code injection attacks.

The technical implementation of this vulnerability stems from the interaction between the personality system call and memory mapping operations. When a process invokes personality(READ_IMPLIES_EXEC), it modifies the execution behavior of the process to automatically imply execute permissions for read-only mappings. The remap_file_pages syscall, when operating on read-write pages, can then effectively create executable memory regions without proper security checks. This bypass mechanism is similar to CVE-2016-10044, which exploited analogous weaknesses in asynchronous I/O operations. The vulnerability specifically affects systems where SELinux or other security modules enforce W^X policies, as demonstrated by the proof-of-concept code that successfully creates an RWX memory mapping despite security restrictions. The flaw operates at the kernel level, bypassing the normal security module interface that should validate memory mapping operations before they are committed to the process address space.

The operational impact of CVE-2024-47745 is severe as it allows attackers to circumvent critical kernel memory protection mechanisms that are fundamental to modern security architectures. This vulnerability can be exploited by unprivileged users to create executable memory regions in locations where such permissions would normally be prohibited, potentially enabling code injection attacks, privilege escalation, and bypass of security controls implemented by SELinux and other LSMs. The attack vector is particularly concerning because it requires minimal privileges and can be executed through standard system calls without requiring specialized tools or complex exploitation techniques. The bypass affects the integrity of memory protection policies and can undermine the security posture of systems relying on W^X enforcement, making it particularly dangerous in environments where memory safety is critical. This vulnerability directly violates the principle of least privilege and can be leveraged to subvert security policies that are designed to prevent memory-based attacks such as buffer overflows and return-oriented programming exploits.

Mitigation strategies for CVE-2024-47745 must focus on ensuring that all memory mapping operations properly invoke security module hooks before completing the mapping process. The primary fix involves modifying the remap_file_pages syscall handler to call security_mmap_file() before invoking do_mmap(), thereby ensuring that all security policies are properly enforced. System administrators should ensure that kernel updates containing the fix are applied immediately, as this vulnerability can be exploited without elevated privileges. Additional mitigations include monitoring for suspicious memory mapping patterns, particularly those involving the combination of personality settings with remap_file_pages calls, and implementing strict access controls on system calls that can modify memory permissions. Organizations should also review their SELinux policies and other LSM configurations to ensure that W^X enforcement is properly maintained and that no bypass mechanisms exist. The fix aligns with security standards such as CWE-119 for memory safety issues and addresses ATT&CK techniques related to privilege escalation and defense evasion through memory manipulation. Regular security audits should verify that all memory management operations properly integrate with security modules to prevent similar bypass vulnerabilities from being introduced in future kernel versions.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00285

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!