CVE-2024-57945

High

Published: 21 January 2025

Published

21 January 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0002 3.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Fix the out of bound issue of vmemmap address In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). And the struct page's va can be calculated with an offset: (vmemmap + (pfn)). However, when initializing struct pages, kernel actually starts from the first page from the same section that phys_ram_base belongs to. If the first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then we get an va below VMEMMAP_START when calculating va for it's struct page. For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During init_unavailable_range(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is below VMEMMAP_START as well as PCI_IO_END. This commit fixes this bug by introducing a new variable 'vmemmap_start_pfn' which is aligned with memory section size and using it to calculate vmemmap address instead of phys_ram_base.

Security Summary

CVE-2024-57945 is a vulnerability in the Linux kernel's RISC-V memory management subsystem, specifically affecting the sparse vmemmap model. The issue arises during struct page initialization, where the virtual address (VA) for pages is calculated using phys_ram_base shifted by PAGE_SHIFT, subtracted from VMEMMAP_START, and offset by the page frame number (PFN). If the first page in the memory section containing phys_ram_base has a lower PFN, such as when phys_ram_base is at PFN 0x82000 but the section starts at 0x80000, the resulting VA falls below VMEMMAP_START and PCI_IO_END, leading to an out-of-bounds access classified as CWE-125. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation involves triggering the faulty VA calculation during memory initialization on affected RISC-V systems, potentially enabling out-of-bounds reads for high confidentiality impact, such as unauthorized access to sensitive kernel memory, and high availability impact through denial-of-service effects like system crashes.

Mitigation requires applying upstream kernel patches, including the primary fix in commit 92f08673d3f1893191323572f60e3c62f2e57c2f, which introduces a new variable vmemmap_start_pfn aligned to the memory section size for accurate vmemmap address calculations instead of relying on phys_ram_base. Additional stable branch patches are available at git.kernel.org links such as a4a7ac3d266008018f05fae53060fcb331151a14, d2bd51954ac8377c2f1eb1813e694788998add66, and f754f27e98f88428aaf6be6e00f5cbce97f62d4b. Debian LTS has also announced the issue in their tracking.

Details

CWE(s): CWE-125

Affected Products

linux

linux kernel

6.13, 6.8 · 5.10.212 — 5.11 · 5.15.151 — 5.16 · 6.1.81 — 6.1.140

References

https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
af854a3a-2127-422b-91ae-364da2661108