CVE-2024-50022: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-50022 affects the Linux kernel's device-dax implementation, specifically in the daxsetmapping() function. The vulnerability was discovered in September 2024 and involves incorrect address alignment that can lead to system instability. The issue affects Linux kernel versions from 5.17 up to (excluding) 6.1.113, 6.2 up to (excluding) 6.6.57, and 6.7 up to (excluding) 6.11.4 (NVD).

The vulnerability stems from using ALIGN() instead of ALIGNDOWN() for determining pgoff in the daxsetmapping() function. When vmf->address is not aligned to faultsize, it gets aligned to the next alignment, resulting in memory failure obtaining incorrect addresses. This issue manifests specifically in pagemappedinvma() after page fault handling by devdaxhugefault. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, the vulnerability can cause endless Machine Check Exceptions (MCE) until system panic occurs. This happens because pagemappedin_vma() continuously returns wrong addresses, preventing proper task termination when accessing failing memory addresses. The impact is particularly severe in scenarios involving error injection to non-2M-aligned addresses in 2M-aligned DAX device mappings (Kernel Patch).

The vulnerability has been patched by changing ALIGN() to ALIGNDOWN() in the daxset_mapping() function. The fix has been incorporated into multiple Linux kernel versions. Users should update to Linux kernel versions 6.1.113 or later, 6.6.57 or later, or 6.11.4 or later to address this vulnerability (NVD).