Linux Kernel High Memory Page Fault Vulnerability in Mempool Management

A vulnerability has been identified in the Linux kernel's memory pool management, specifically related to high memory handling. The issue arises in version 6.18.0-rc2, where the poisoning mechanism for memory pool elements does not properly account for high memory pages. This oversight can lead to a page fault error, as the kernel attempts to access a non-present page, causing a supervisor write access violation in kernel mode. The problem was reported by the kernel test robot and analyzed by Christoph Hellwig, who noted that the poisoning code fails to manage high memory correctly, allowing the entire high-order page to be accessed without proper mapping. The vulnerability was introduced in a previous commit that added element poisoning for slabs but neglected high memory considerations.

Impact

Exploitation of this vulnerability can cause a kernel panic due to an unhandled page fault, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by initializing a memory pool with high-order pages in a Linux kernel environment that includes high memory support. When the memory pool's elements are poisoned or checked, the kernel will attempt to access unmapped high memory pages, triggering a page fault error. This can be observed in a virtual machine running QEMU with the standard PC (i440FX + PIIX, 1996) hardware configuration.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.