Linux Kernel Userfaultfd VMA Flag Dropping Vulnerability

A vulnerability in the Linux kernel's memory management system, specifically within the KSM (Kernel Samepage Merging) handling, has been identified. This issue arises when the 'madvise' system call is used with the 'MADV_UNMERGEABLE' flag on a virtual memory area (VMA) that is registered for userfaultfd in minor mode. The operation inadvertently clears important flags in the VMA's 'vm_flags', leading to an inconsistency that can cause a kernel panic. The problem is rooted in the way the 'VM_MERGEABLE' flag is handled, as it is a 32-bit constant that, when manipulated, accidentally clears the upper 32 bits of the VMA's flag value. This vulnerability affects Linux kernel versions prior to 6.16.0.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by abruptly terminating the kernel process and potentially disrupting system operations.

Reproduction

The vulnerability can be reproduced by creating a virtual memory area (VMA) and registering it for userfaultfd in minor mode. Then, the 'madvise' system call can be issued with the 'MADV_UNMERGEABLE' flag. This sequence will trigger the flag-dropping behavior, clearing the upper 32 bits of the VMA's 'vm_flags' and causing a userfaultfd inconsistency that the kernel will detect, resulting in a panic.

Remediation

The vulnerability has been addressed by modifying the 'VM_MERGEABLE' constant to be of type unsigned long, using the BIT() macro, which prevents the upper bits from being cleared during bitwise operations. Users should upgrade to Linux kernel versions 6.16.0 or later.