CVE-2024-45022: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-45022 affects the Linux kernel's memory management subsystem, specifically related to page mapping in the vmalloc functionality. The vulnerability was discovered in September 2024 and affects Linux kernel versions from 6.1.95 up to 6.1.107, 6.3 to 6.6.48, 6.7 to 6.10.7, and 6.11 release candidates (NVD).

The vulnerability exists in the vmappagesrangenoflush() function which incorrectly assumes its argument pages** contains pages with the same page shift. When gfpflags includes GFPNOFAIL with high order in vmareaallocpages() and page allocation fails for high order, the pages** may contain two different page shifts (high order and order-0). This can lead to incorrect mappings and potential memory corruption. The issue occurs specifically when vmapallowhuge is true and using 2M PMD_SIZE allocations (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

If exploited, this vulnerability could result in memory corruption due to incorrect page mappings. The impact is primarily focused on system availability, as indicated by the CVSS metrics showing no impact on confidentiality or integrity, but high impact on availability (NVD).

The vulnerability has been fixed by removing the fallback code in vmareaallocpages(), as the _vmallocnoderange_noprof() function already handles retry with order-0 when high-order allocation fails. The fix has been incorporated into various Linux distributions including Debian and Ubuntu through security updates (Kernel Patch, Debian Security).