CVE & CISA-KEV Catalog

CVE-2024-40918

MEDIUM
6.3
CVSS v3
NVD

Description

In the Linux kernel, the following vulnerability has been resolved: parisc: Try to fix random segmentation faults in package builds PA-RISC systems with PA8800 and PA8900 processors have had problems with random segmentation faults for many years. Systems with earlier processors are much more stable. Systems with PA8800 and PA8900 processors have a large L2 cache which needs per page flushing for decent performance when a large range is flushed. The combined cache in these systems is also more sensitive to non-equivalent aliases than the caches in earlier systems. The majority of random segmentation faults that I have looked at appear to be memory corruption in memory allocated using mmap and malloc. My first attempt at fixing the random faults didn't work. On reviewing the cache code, I realized that there were two issues which the existing code didn't handle correctly. Both relate to cache move-in. Another issue is that the present bit in PTEs is racy. 1) PA-RISC caches have a mind of their own and they can speculatively load data and instructions for a page as long as there is a entry in the TLB for the page which allows move-in. TLBs are local to each CPU. Thus, the TLB entry for a page must be purged before flushing the page. This is particularly important on SMP systems. In some of the flush routines, the flush routine would be called and then the TLB entry would be purged. This was because the flush routine needed the TLB entry to do the flush. 2) My initial approach to trying the fix the random faults was to try and use flush_cache_page_if_present for all flush operations. This actually made things worse and led to a couple of hardware lockups. It finally dawned on me that some lines weren't being flushed because the pte check code was racy. This resulted in random inequivalent mappings to physical pages. The __flush_cache_page tmpalias flush sets up its own TLB entry and it doesn't need the existing TLB entry. As long as we can find the pte pointer for the vm page, we can get the pfn and physical address of the page. We can also purge the TLB entry for the page before doing the flush. Further, __flush_cache_page uses a special TLB entry that inhibits cache move-in. When switching page mappings, we need to ensure that lines are removed from the cache. It is not sufficient to just flush the lines to memory as they may come back. This made it clear that we needed to implement all the required flush operations using tmpalias routines. This includes flushes for user and kernel pages. After modifying the code to use tmpalias flushes, it became clear that the random segmentation faults were not fully resolved. The frequency of faults was worse on systems with a 64 MB L2 (PA8900) and systems with more CPUs (rp4440). The warning that I added to flush_cache_page_if_present to detect pages that couldn't be flushed triggered frequently on some systems. Helge and I looked at the pages that couldn't be flushed and found that the PTE was either cleared or for a swap page. Ignoring pages that were swapped out seemed okay but pages with cleared PTEs seemed problematic. I looked at routines related to pte_clear and noticed ptep_clear_flush. The default implementation just flushes the TLB entry. However, it was obvious that on parisc we need to flush the cache page as well. If we don't flush the cache page, stale lines will be left in the cache and cause random corruption. Once a PTE is cleared, there is no way to find the physical address associated with the PTE and flush the associated page at a later time. I implemented an updated change with a parisc specific version of ptep_clear_flush. It fixed the random data corruption on Helge's rp4440 and rp3440, as well as on my c8000. At this point, I realized that I could restore the code where we only flush in flush_cache_page_if_present if the page has been accessed. However, for this, we also need to flush the cache when the accessed bit is cleared in ---truncated---

How to fix

Remediation Available
linuxDebian
Fixed in:6.9.7-1CVE-2024-40918
Fixed in:6.9.7-1CVE-2024-40918
linuxUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-awsUbuntu
Fixed in:6.8.0-1015.16USN-6999-1
linux-azureUbuntu
Fixed in:6.8.0-1014.16USN-7004-1
linux-gcpUbuntu
Fixed in:6.8.0-1014.16USN-6999-1
linux-gkeUbuntu
Fixed in:6.8.0-1010.13USN-6999-1
linux-hwe-6.8Ubuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-ibmUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-6.8.0-1010-gkeUbuntu
Fixed in:6.8.0-1010.13USN-6999-1
linux-image-6.8.0-1011-raspiUbuntu
Fixed in:6.8.0-1011.12USN-6999-2
linux-image-6.8.0-1012-ibmUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-6.8.0-1012-oemUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-6.8.0-1012-oracleUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-6.8.0-1012-oracle-64kUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-6.8.0-1013-nvidiaUbuntu
Fixed in:6.8.0-1013.14~22.04.1USN-7005-2
Fixed in:6.8.0-1013.14USN-7005-1
linux-image-6.8.0-1013-nvidia-64kUbuntu
Fixed in:6.8.0-1013.14~22.04.1USN-7005-2
Fixed in:6.8.0-1013.14USN-7005-1
linux-image-6.8.0-1013-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1013.14.1USN-7005-1
linux-image-6.8.0-1013-nvidia-lowlatency-64kUbuntu
Fixed in:6.8.0-1013.14.1USN-7005-1
linux-image-6.8.0-1014-azureUbuntu
Fixed in:6.8.0-1014.16USN-7004-1
linux-image-6.8.0-1014-azure-fdeUbuntu
Fixed in:6.8.0-1014.16USN-7004-1
linux-image-6.8.0-1014-gcpUbuntu
Fixed in:6.8.0-1014.16USN-6999-1
linux-image-6.8.0-1015-awsUbuntu
Fixed in:6.8.0-1015.16USN-6999-1
linux-image-6.8.0-44-genericUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-6.8.0-44-generic-64kUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-6.8.0-44-lowlatencyUbuntu
Fixed in:6.8.0-44.44.1~22.04.1USN-7008-1
Fixed in:6.8.0-44.44.1USN-6999-1
linux-image-6.8.0-44-lowlatency-64kUbuntu
Fixed in:6.8.0-44.44.1~22.04.1USN-7008-1
Fixed in:6.8.0-44.44.1USN-6999-1
linux-image-6.8.0-45-genericUbuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-6.8.0-45-generic-64kUbuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-awsUbuntu
Fixed in:6.8.0-1015.16USN-6999-1
linux-image-azureUbuntu
Fixed in:6.8.0-1014.16USN-7004-1
linux-image-azure-fdeUbuntu
Fixed in:6.8.0-1014.16USN-7004-1
linux-image-gcpUbuntu
Fixed in:6.8.0-1014.16USN-6999-1
linux-image-genericUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-generic-64kUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-generic-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-generic-64k-hwe-24.04Ubuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-generic-hwe-22.04Ubuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-generic-hwe-24.04Ubuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-generic-lpaeUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-gkeUbuntu
Fixed in:6.8.0-1010.13USN-6999-1
linux-image-ibmUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-ibm-classicUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-ibm-lts-24.04Ubuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-kvmUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-lowlatencyUbuntu
Fixed in:6.8.0-44.44.1USN-6999-1
linux-image-lowlatency-64kUbuntu
Fixed in:6.8.0-44.44.1USN-6999-1
linux-image-lowlatency-64k-hwe-22.04Ubuntu
Fixed in:6.8.0-44.44.1~22.04.1USN-7008-1
linux-image-lowlatency-hwe-22.04Ubuntu
Fixed in:6.8.0-44.44.1~22.04.1USN-7008-1
linux-image-nvidiaUbuntu
Fixed in:6.8.0-1013.13USN-7005-1
linux-image-nvidia-6.8Ubuntu
Fixed in:6.8.0-1013.14~22.04.1USN-7005-2
linux-image-nvidia-64kUbuntu
Fixed in:6.8.0-1013.13USN-7005-1
linux-image-nvidia-64k-6.8Ubuntu
Fixed in:6.8.0-1013.14~22.04.1USN-7005-2
linux-image-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1013.14.1USN-7005-1
linux-image-nvidia-lowlatency-64kUbuntu
Fixed in:6.8.0-1013.14.1USN-7005-1
linux-image-oem-22.04Ubuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-oem-22.04aUbuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-oem-22.04bUbuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-oem-22.04cUbuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-oem-22.04dUbuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-oracleUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-oracle-64kUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-image-raspiUbuntu
Fixed in:6.8.0-1011.12USN-6999-2
linux-image-virtualUbuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-image-virtual-hwe-22.04Ubuntu
Fixed in:6.8.0-45.45~22.04.1USN-7029-1
linux-image-virtual-hwe-24.04Ubuntu
Fixed in:6.8.0-44.44USN-6999-1
linux-lowlatencyUbuntu
Fixed in:6.8.0-44.44.1USN-6999-1
linux-lowlatency-hwe-6.8Ubuntu
Fixed in:6.8.0-44.44.1~22.04.1USN-7008-1
linux-nvidiaUbuntu
Fixed in:6.8.0-1013.14USN-7005-1
linux-nvidia-6.8Ubuntu
Fixed in:6.8.0-1013.14~22.04.1USN-7005-2
linux-nvidia-lowlatencyUbuntu
Fixed in:6.8.0-1013.14.1USN-7005-1
linux-oem-6.8Ubuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-oracleUbuntu
Fixed in:6.8.0-1012.12USN-6999-1
linux-raspiUbuntu
Fixed in:6.8.0-1011.12USN-6999-2

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploit Intelligence

0.26%probability of exploitation in 30 days
18thpercentile

Low risk: more likely to be exploited than 18% of all known CVEs.

References

Embed a live status badge for CVE-2024-40918
CVE-2024-40918 severity badge

Markdown

[![CVE-2024-40918](https://tridentstack.com/cve/badge/CVE-2024-40918.svg)](https://tridentstack.com/cve/CVE-2024-40918)

HTML

<a href="https://tridentstack.com/cve/CVE-2024-40918"><img src="https://tridentstack.com/cve/badge/CVE-2024-40918.svg" alt="CVE-2024-40918"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-09-17.