Linux Kernel Huge Memory NULL Folio Vulnerability in move_pages_huge_pmd()

A vulnerability exists in the Linux kernel's handling of huge zero pages within the move_pages_huge_pmd() function. This function manages UFFDIO_MOVE operations for both standard transparent huge pages (THPs) and huge zero pages. When dealing with huge zero pages, the source folio is intentionally set to NULL, which serves as a sentinel to bypass certain folio operations. However, this NULL value leads to two critical issues: on systems using SPARSEMEM_VMEMMAP, it creates a bogus Page Frame Number (PFN) that points to non-existent physical memory, and on other memory models, it causes a NULL dereference. The vulnerability arises because the function fails to correctly process the huge zero folio, which can result in either a silent installation of a PMD pointing to invalid memory or a direct NULL dereference.

Impact

Exploitation of this vulnerability can lead to a NULL dereference, causing a crash, or the installation of a PMD that points to non-existent physical memory, which could corrupt memory management structures and potentially be exploited for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the UFFDIO_MOVE operation on huge zero pages in the Linux kernel. This can be done by creating a memory mapping that uses huge pages and then performing a move operation that targets a huge zero page. The move_pages_huge_pmd() function will handle this operation, but due to the vulnerability, it will either dereference a NULL value or install a PMD that points to invalid memory.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is included in the Linux kernel stable tree.