CVE-2024-57945
Published: 21 January 2025
Summary
CVE-2024-57945 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds virtual address calculation in RISC-V sparse vmemmap by applying the kernel patch introducing vmemmap_start_pfn aligned to memory section size.
Identifies presence of CVE-2024-57945 in vulnerable Linux kernel versions on RISC-V systems through vulnerability scanning and monitoring to enable timely remediation.
Provides memory protection mechanisms that limit the impact of out-of-bounds reads from faulty vmemmap VA calculations, reducing confidentiality and availability risks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel OOB read enables credential access via sensitive memory disclosure (T1212) and system crashes for DoS (T1499.004); local low-priv trigger fits direct exploitation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Fix the out of bound issue of vmemmap address In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)).…
more
And the struct page's va can be calculated with an offset: (vmemmap + (pfn)). However, when initializing struct pages, kernel actually starts from the first page from the same section that phys_ram_base belongs to. If the first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then we get an va below VMEMMAP_START when calculating va for it's struct page. For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During init_unavailable_range(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is below VMEMMAP_START as well as PCI_IO_END. This commit fixes this bug by introducing a new variable 'vmemmap_start_pfn' which is aligned with memory section size and using it to calculate vmemmap address instead of phys_ram_base.
Deeper analysisAI
CVE-2024-57945 is a vulnerability in the Linux kernel's RISC-V memory management subsystem, specifically affecting the sparse vmemmap model. The issue arises during struct page initialization, where the virtual address (VA) for pages is calculated using phys_ram_base shifted by PAGE_SHIFT, subtracted from VMEMMAP_START, and offset by the page frame number (PFN). If the first page in the memory section containing phys_ram_base has a lower PFN, such as when phys_ram_base is at PFN 0x82000 but the section starts at 0x80000, the resulting VA falls below VMEMMAP_START and PCI_IO_END, leading to an out-of-bounds access classified as CWE-125. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation involves triggering the faulty VA calculation during memory initialization on affected RISC-V systems, potentially enabling out-of-bounds reads for high confidentiality impact, such as unauthorized access to sensitive kernel memory, and high availability impact through denial-of-service effects like system crashes.
Mitigation requires applying upstream kernel patches, including the primary fix in commit 92f08673d3f1893191323572f60e3c62f2e57c2f, which introduces a new variable vmemmap_start_pfn aligned to the memory section size for accurate vmemmap address calculations instead of relying on phys_ram_base. Additional stable branch patches are available at git.kernel.org links such as a4a7ac3d266008018f05fae53060fcb331151a14, d2bd51954ac8377c2f1eb1813e694788998add66, and f754f27e98f88428aaf6be6e00f5cbce97f62d4b. Debian LTS has also announced the issue in their tracking.
Details
- CWE(s)