CVE-2024-42243 - Page Cache Size Vulnerability Fixed in Linux Kernel’s XArray

A new Linux kernel security issue—CVE-2024-42243—was identified in the way the kernel’s mm/filemap layer handles large page cache entries on certain architectures. Specifically, this vulnerability centered around the MAX_PAGECACHE_ORDER value, which could lead to warnings or errors on systems with large base page sizes, such as ARM64 platforms with 64KB base pages and huge pages up to 512MB.

In plain terms:

Linux systems with big pages could crash or behave wrong if the page cache was too large for the internal xarray structure to handle. This has now been fixed.

What was wrong?

When Linux handles files in memory, it uses the "page cache." Internally, this links to a data structure called xarray. Xarray has size limits, but the code didn’t check these well—if a machine used very large page sizes, the system could trigger a WARN_ON() (a warning used by kernel developers to spot bugs), and sometimes even crash or misbehave.

512MB huge pages

A full discussion from kernel engineers:
Linux-XFS mailing list discussion

The problematic warning happens here in the kernel (from lib/xarray.c)

if (order > MAX_ORDER) {
    WARN_ON(1);
    return -EINVAL;
}

If a file mapping or memory allocation goes above what xarray can do, the kernel throws a loud warning—and things can break in tricky ways.

How to Trigger the Vulnerability

The original bug submitter included a test program. Here’s (simplified and commented) C code that triggers the issue on an affected system:

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>

// Requires 64KB page size system!
#define FILENAME "/dev/shm/data"
#define MEM_SIZE x20000000

int main() {
    int pgsize = getpagesize();
    if (pgsize != x10000) {
        fprintf(stderr, "64KB base page size is required\n");
        return 1;
    }
    int fd = open(FILENAME, O_CREAT | O_RDWR | O_TRUNC, 060);
    if (fd < ) exit(1);

    ftruncate(fd, MEM_SIZE);
    void *buf = mmap(NULL, MEM_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, );
    madvise(buf, MEM_SIZE, MADV_HUGEPAGE);
    madvise(buf, MEM_SIZE, MADV_POPULATE_WRITE);

    // Create a "hole" at the end to force xarray split and bug
    fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE,
              MEM_SIZE - pgsize, pgsize);

    munmap(buf, MEM_SIZE);
    close(fd);
    return ;
}

On an ARM64 system with the right config (cat /proc/1/smaps | grep KernelPageSize yields 64 kB), running the test would trigger a kernel warning:

WARNING: CPU: ... at lib/xarray.c:1025 xas_split_alloc+xf8/x128
...

Exploit Scenario

CVE-2024-42243 is a "robustness bug" rather than a classic security flaw (no obvious direct privilege escalation or code execution), but it's serious for these two reasons:
- Kernel memory management is critical: If *xarray* is pushed beyond its limit by a crafted or unwitting application, the kernel can misbehave. In worst cases, you might get denial of service or data corruption.
- Attackers might develop a privilege escalation where kernel warnings or malfunctions are chained with other bugs.

Risk:

- Most desktop/server users with standard x86 systems aren’t exposed.
- ARM64 (common in phones and cloud) with large page configs *are* at risk, especially if they use custom file mappings, shared memory, or testing big files.

Official Fix

The Linux maintainers have merged a set of patches (and follow-ups):

Avoid PMD-sized page cache in some paths, especially on shmem (shared memory) files.

What changed?
Instead of allowing huge pages the kernel couldn’t handle, the code now checks the max supported xarray order and only allocates up to that.

Direct links

- Linus’s patch
- Follow-up patch series

How to Protect Your Systems

- Upgrade your kernel to a version including this fix after 6.10-rc5.

Summary Table

| Impacted systems | Non-Impacted systems |
|---------------------|-------------------------------------|
| ARM64 with 64KB pages and huge pages | x86_64, standard Linux distros |
| Custom kernels | Stock Ubuntu, RHEL, Fedora |

Additional References

- Linux kernel source, mm/filemap.c
- Linux kernel Patch: Limit page cache size to xarray support
- Linux-XFS Mailing List Report
- LWN Article on patch series

Conclusion

CVE-2024-42243 highlights how kernel memory internals sometimes hit hard limits in unusual configurations. If you're running on ARM64 or maintain custom Linux builds, be sure to update your kernel and review your system’s page cache and xarray handling. For most standard users and cloud environments, updating as part of regular maintenance will keep you safe.

Timeline

Published on: 08/07/2024 16:15:47 UTC
Last modified on: 08/08/2024 14:53:35 UTC