CVE-2024-50066: 
CBL Mariner vulnerability analysis and mitigation

A race condition vulnerability (CVE-2024-50066) was discovered in the Linux kernel's memory management subsystem, specifically in the mremap functionality. The vulnerability affects Linux kernel versions from 6.6 up to (excluding) 6.6.58, versions from 6.7 up to (excluding) 6.11.5, and versions 6.12-rc1 through 6.12-rc3. The issue was discovered and reported by Jann Horn (Kernel Patch).

The vulnerability occurs in the move_normal_pmd() function during mremap operations. The issue arises because rmap locks, which protect against concurrent page table removal by retract_page_tables() in the THP (Transparent Huge Pages) code, are only taken after the PMD entry has been read and its movement method has been determined. This creates a race condition between the mremap operation and page table removal, potentially resulting in the creation of bogus PMD entries. On x86 systems, this can lead to physical page 0 being mapped as a page table (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 base score of 7.0 HIGH (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

When successfully exploited, this vulnerability can lead to user-to-kernel privilege escalation on affected systems. However, the impact is limited by specific requirements for exploitation. The bug requires the ability to create shmem/file THP mappings, which typically necessitates either the experimental CONFIG_READ_ONLY_THP_FOR_FS flag or access to shmem THP through a user's own tmpfs mount with specific flags (Kernel Patch).

The vulnerability has been fixed in Linux kernel version 6.6.58 and later, as well as in version 6.11.5 and later. The fix involves adding a check to verify that the PMD still points to a page table after the rmap locks have been taken, with a fallback to PTE-level copying if the check fails (Kernel Patch).