Linux Kernel Hugetlb Folio Information Leak Vulnerability in Memfd Allocation

A vulnerability in the Linux kernel's handling of hugetlb folios for memfd can lead to an information leak. When hugetlb folios are allocated for memfd, they are not properly initialized, allowing uninitialized kernel memory to be exposed to userspace. This issue arises because the memfd allocation process skips essential initialization steps that are normally managed by the page fault handler. The vulnerability is particularly concerning for udmabuf use cases, where pinned folios are accessed directly by userspace via DMA.

Impact

The vulnerability could result in the unintentional disclosure of kernel memory to userspace, potentially exposing sensitive information or leading to further exploitation.

Reproduction

To reproduce this vulnerability, allocate hugetlb folios through the memfd allocation path, which bypasses the normal page fault handler. This can be done by using the memfd_pin_folios() function to pin the folios, and then access them directly from userspace via DMA, which will expose the uninitialized memory.

Remediation

The vulnerability has been addressed by updating the memfd allocation process to include the missing initialization steps. This involves zeroing the folio to prevent information leaks, marking it as up-to-date before adding it to the page cache, and taking the hugetlb_fault_mutex to prevent race conditions. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this vulnerability.