Linux Kernel Hugetlb PTE Marker Handling Vulnerability in Memory Management

A vulnerability in the Linux kernel's memory management for hugetlb (huge pages) has been identified, specifically in the handling of Page Table Entry (PTE) markers by the function hugetlb_change_protection(). This issue arises when using userfaultfd write-protect (uffd-wp) in conjunction with virtio-mem and background snapshots on hugetlb within QEMU. The vulnerability can lead to a kernel bug by improperly managing PTE markers, which can be exploited by mapping a memory file backed by hugepages, registering uffd-wp, and then manipulating the PTE markers in a way that confuses the memory management system.

Impact

Exploitation of this vulnerability triggers a kernel bug check (VM_BUG_ON()), indicating a serious issue with the memory management that could lead to system instability or crashes.

Reproduction

The vulnerability can be reproduced by mapping a memfd (memory file descriptor) backed by hugepages, registering userfaultfd write-protect (uffd-wp) on an unmapped page, and then either reapplying the uffd-wp protection, unprotecting it, or unregistering the uffd-wp. Following this, triggering the fallocate operation with the FALLOC_FL_PUNCH_HOLE flag on the affected file range will cause the VM_BUG_ON() error, indicating that the vulnerability has been successfully exploited.