Linux Kernel Uprobe PTE Overwrite Vulnerability

A vulnerability in the Linux kernel has been identified, where the user probe (uprobe) page table entry (PTE) can be unintentionally overwritten during the expansion of a virtual memory area (VMA). This issue was first discovered in version 6.6.y of the Linux kernel and can be reproduced using the community syzkaller tool. The vulnerability arises when a file is mapped into memory and then remapped in a way that merges VMAs, causing the uprobe PTE to be incorrectly handled and orphaned.

Impact

Exploitation of this vulnerability can lead to a corruption of the memory management system, specifically regarding the handling of uprobe page table entries, which can disrupt the intended behavior of user probes in the application.

Reproduction

To reproduce this vulnerability, register a uprobe on a file at the zero offset. Then, mmap the file at the zero offset with no protection. After that, use mremap to move part of the first VMA to a new VMA, and then remap it back to the original address. This process will trigger the vulnerability by causing the uprobe PTE to be overwritten, leading to an orphaned PTE state.

Remediation

Users can apply the latest patches available in the Linux kernel Git repository to address this vulnerability.