CVE-2024-46790 in Linuxinfo

Zusammenfassung

von VulDB • 15.05.2026

Based on the kernel crash trace and the description provided, this is a bug in the Linux kernel's memory management subsystem, specifically related to **Memory Corruption Detection (MCE/HWPOISON)** and **Page Allocation Tags**.

### Analysis of the Crash

1. **Context**: The crash occurs in `pgalloc_tag_sub`, which is part of the page allocation tag accounting mechanism (used for debugging memory leaks or tracking page usage). 2. **Trigger**: The call trace shows the path: `hwpoison_unpoison` -> `unpoison_memory` -> `folio_put` -> `free_unref_page` -> `pgalloc_tag_sub`. This means a page that was previously "poisoned" (marked as bad/corrupted) is being "unpoisoned" (returned to the free pool). 3. **The Bug**: When a page is unpoisoned, it goes through `unpoison_memory`. During this process, the page is isolated and accounted for. However, the **page tag reference** (used by `pgalloc_tag`) is not cleared before the page is freed. When `free_unref_page` eventually calls `pgalloc_tag_sub` to decrement the tag count, it finds stale or incorrect tag data, leading to an assertion failure or invalid state in `pgalloc_tag_sub`.

### The Fix

As suggested in the prompt, the fix is to **clear the page tag reference** after the page has been isolated and accounted for during the unpoisoning process.

This typically involves modifying the `unpoison_memory` function in the kernel source (likely in `mm/memory-failure.c` or related files).

### Code Patch Example

Here is a conceptual patch based on the fix description. The exact location and function names may vary slightly depending on the kernel version, but the logic remains the same:

```c // In mm/memory-failure.c (or similar file)

static int unpoison_memory(unsigned long pfn) {
struct page *page; int ret;

// ... existing code to get the page ...

// Isolate the page ret = isolate_lru_page(page); if (ret) return ret;

// Account for the page (e.g., update stats, remove from LRU) // ... existing accounting code ...

// FIX: Clear the page tag reference here // This ensures that when the page is freed, pgalloc_tag_sub // does not encounter stale tag data. page_tag_clear(page); // Note: The exact function name might be different, e.g., // clear_page_tag(page) or similar, depending on the tag subsystem. // In some kernels, this might involve resetting page->pgalloc_tag or similar.

// Now free the page put_page(page);

return 0; } ```

### Key Points for Implementation

1. **Identify the Tag Clearing Function**: Look for functions like `page_tag_clear()`, `clear_page_tag()`, or direct manipulation of `page->pgalloc_tag` in your kernel version. 2. **Timing**: The tag must be cleared **after** isolation and accounting but **before** the page is returned to the free list (`put_page()` or `folio_put()`). 3. **Testing**: After applying the patch, test the `hwpoison_inject` module by writing to the debugfs entry to trigger unpoisoning and verify that the crash no longer occurs.

### Conclusion

The crash is caused by stale page allocation tags when unpoisoning a memory page. The fix is to clear these tags during the unpoisoning process to ensure consistent accounting when the page is freed.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Zuständig

Linux

Reservieren

11.09.2024

Veröffentlichung

18.09.2024

Moderieren

akzeptiert

Eintrag

VDB-277960

CPE

bereit

EPSS

0.00179

KEV

nein

Aktivitäten

very low

Quellen

Interested in the pricing of exploits?

See the underground prices here!