============================================================================================================================================= | # Title : Linux 5.8 to 6.9 Security scanning tool for Hugepage leak vulnerability detection | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : System built‑in component. No standalone download available. | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212396/ & CVE-2023-1206, CVE-2024-49882, CVE-2025-40040 [+] Summary : This C-based tool scans Linux systems for a potential Hugepage memory leak vulnerability referred to as CVE‑2024‑49882. It checks whether the system supports memfd_create and HugeTLB, allocates a hugepage, and inspects its contents to see if any leftover data indicates a memory leak. If container runtimes (e.g., Docker, containerd) are detected and the hugepage memory is not properly zeroed, the system may be vulnerable. The tool outputs a full security assessment including severity level and recommended mitigation actions. [+] POC : Security.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #define MFD_HUGETLB 0x0004U #define MFD_ALLOW_SEALING 0x0002U #define MFD_HUGE_2MB (21 << 26) #define HUGEPAGE_SIZE (2*1024*1024) typedef struct { bool is_vulnerable; const char *vulnerability_name; const char *description; const char *remediation; int severity; // 1-10, where 10 is most severe } SecurityReport; void print_banner() { printf("╔══════════════════════════════════════════════════════════════╗\n"); printf("║ Hugepage Security Scanner Tool ║\n"); printf("║ Detecting potential CVE-2024-49882 issues ║\n"); printf("╚══════════════════════════════════════════════════════════════╝\n\n"); } void print_usage() { printf("Usage: sudo ./hugepage_scanner [options]\n"); printf("Options:\n"); printf(" --test-only : Only test without detailed analysis\n"); printf(" --check-config : Check system configuration only\n"); printf(" --help : Show this help message\n\n"); } bool check_memfd_support() { printf("[*] Checking memfd_create support...\n"); // Test syscall 319 (memfd_create) int memfd = syscall(319, "test", 0); if (memfd < 0) { if (errno == ENOSYS) { printf("[-] System does not support memfd_create\n"); return false; } perror("memfd_create failed"); return false; } close(memfd); printf("[+] System supports memfd_create\n"); return true; } bool check_hugetlb_support() { printf("[*] Checking HugeTLB support...\n"); FILE *f = fopen("/sys/kernel/mm/hugepages/hugepages-2048kB/free_hugepages", "r"); if (!f) { printf("[-] Cannot access hugepage information (might be protected)\n"); return false; } int free_hp = 0; if (fscanf(f, "%d", &free_hp) == 1) { printf("[+] Hugepages available: %d\n", free_hp); } fclose(f); // Try to create a HugeTLB memfd int memfd = syscall(319, "test", MFD_HUGETLB | MFD_HUGE_2MB); if (memfd < 0) { printf("[-] Cannot create HugeTLB memfd (might be security restriction)\n"); return false; } close(memfd); printf("[+] System supports HugeTLB\n"); return true; } SecurityReport check_vulnerability() { SecurityReport report = { .is_vulnerable = false, .vulnerability_name = "CVE-2024-49882 - Cross-container hugepage data leak", .description = "Potential data leak through reused hugepages across containers", .remediation = "Update kernel, enable memory zeroing, isolate container memory", .severity = 7 }; printf("[*] Testing for CVE-2024-49882 vulnerability...\n"); // Check if we can access hugepage statistics if (access("/sys/kernel/mm/hugepages", F_OK) == -1) { printf("[+] Hugepage sysfs not accessible (good security practice)\n"); report.is_vulnerable = false; return report; } // Check kernel version (simplified) FILE *f = fopen("/proc/version", "r"); if (f) { char version[256]; if (fgets(version, sizeof(version), f)) { printf("[*] Kernel: %s", version); } fclose(f); } // Check if containers are running bool containers_detected = false; if (access("/run/containerd", F_OK) == 0 || access("/var/run/docker.sock", F_OK) == 0) { containers_detected = true; printf("[!] Container runtime detected\n"); } // Test memory isolation printf("[*] Testing memory isolation...\n"); // Try to allocate and check if we can access random memory int memfd = syscall(319, "security_test", MFD_HUGETLB | MFD_HUGE_2MB); if (memfd < 0) { if (errno == EACCES || errno == EPERM) { printf("[+] HugeTLB access restricted (good)\n"); report.is_vulnerable = false; return report; } } else { // Map and check content void *addr = mmap(NULL, HUGEPAGE_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, memfd, 0); if (addr != MAP_FAILED) { // Check if memory appears uninitialized uint8_t *data = (uint8_t *)addr; int non_zero_count = 0; for (size_t i = 0; i < 4096; i += 64) { // Sample 64 points if (data[i] != 0) non_zero_count++; } if (non_zero_count > 10) { printf("[!] WARNING: Non-zero data found in fresh hugepage\n"); report.is_vulnerable = true; report.severity = 8; } else { printf("[+] Memory appears properly zeroed\n"); } munmap(addr, HUGEPAGE_SIZE); } close(memfd); } if (report.is_vulnerable && containers_detected) { report.severity = 9; // Higher severity if containers are present } return report; } void check_system_configuration() { printf("\n[*] Checking system configuration...\n"); // Check if memory zeroing is enabled printf("[*] Checking memory zeroing settings...\n"); FILE *f = fopen("/proc/sys/vm/drop_caches", "r"); if (f) { int value; if (fscanf(f, "%d", &value) == 1) { printf("[+] drop_caches value: %d\n", value); } fclose(f); } // Check kernel parameters printf("[*] Checking kernel parameters...\n"); system("sysctl vm.nr_hugepages vm.nr_overcommit_hugepages 2>/dev/null"); // Check security modules printf("[*] Checking security modules...\n"); if (access("/sys/kernel/security/apparmor", F_OK) == 0) { printf("[+] AppArmor is active\n"); } if (access("/sys/kernel/security/selinux", F_OK) == 0) { printf("[+] SELinux is active\n"); } } void print_report(SecurityReport report) { printf("\n══════════════════════════════════════════════════════════════\n"); printf("SECURITY ASSESSMENT REPORT\n"); printf("══════════════════════════════════════════════════════════════\n\n"); printf("Vulnerability: %s\n", report.vulnerability_name); printf("Status: %s\n", report.is_vulnerable ? "POTENTIALLY VULNERABLE" : "LIKELY SAFE"); printf("Severity: %d/10\n", report.severity); printf("\nDescription: %s\n", report.description); if (report.is_vulnerable) { printf("\n⚠️ RECOMMENDED ACTIONS:\n"); printf("%s\n", report.remediation); printf("1. Update to the latest kernel version\n"); printf("2. Ensure CONFIG_HUGETLBFS is properly configured\n"); printf("3. Implement container memory isolation\n"); printf("4. Enable memory zeroing on free\n"); printf("5. Monitor hugepage allocation patterns\n"); } else { printf("\n✅ System appears properly configured\n"); } printf("\n══════════════════════════════════════════════════════════════\n"); } int main(int argc, char *argv[]) { bool test_only = false; bool check_config = false; // Parse arguments for (int i = 1; i < argc; i++) { if (strcmp(argv[i], "--test-only") == 0) { test_only = true; } else if (strcmp(argv[i], "--check-config") == 0) { check_config = true; } else if (strcmp(argv[i], "--help") == 0) { print_usage(); return 0; } } print_banner(); if (geteuid() != 0) { printf("⚠️ Warning: Running without root privileges. Some checks may fail.\n"); printf(" Consider running with sudo for complete assessment.\n\n"); } printf("[*] Starting security assessment...\n\n"); // Run checks bool memfd_supported = check_memfd_support(); bool hugetlb_supported = check_hugetlb_support(); if (!memfd_supported || !hugetlb_supported) { printf("\n[+] System appears to have mitigations in place\n"); SecurityReport safe_report = { .is_vulnerable = false, .vulnerability_name = "CVE-2024-49882", .description = "System lacks vulnerable features or has them disabled", .remediation = "Maintain current configuration", .severity = 1 }; print_report(safe_report); return 0; } if (!test_only) { SecurityReport report = check_vulnerability(); if (check_config) { check_system_configuration(); } print_report(report); // Additional recommendations printf("\n📋 ADDITIONAL SECURITY RECOMMENDATIONS:\n"); printf(" 1. Regularly audit hugepage usage: grep -r huge /proc/*/maps\n"); printf(" 2. Monitor container lifecycle events\n"); printf(" 3. Implement memory auditing with auditd\n"); printf(" 4. Consider using memory encryption technologies\n"); printf(" 5. Limit hugepage allocation to trusted processes\n"); return report.is_vulnerable ? 1 : 0; } return 0; } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================