Linux 6.9 Hugepage Memory Leak Scanner

Linux kernel 6.9 introduces a significant new feature: the Hugepage Linux kernel 6.9 introduces a significant new feature: the Hugepage Memory Leak Scanner.

This tool is designed to detect memory leaks specifically within hugepage allocations. Hugepages (like 2MB or 1GB blocks) are crucial for high-performance applications such as databases and virtual machines, as they reduce TLB misses and improve efficiency.

Leaks in these large memory regions can severely impact system stability and performance, leading to crashes or degradation over time. The new scanner helps kernel developers and system administrators identify and debug these elusive issues more effectively. Its inclusion enhances the kernel's overall reliability and provides a vital diagnostic capability for critical workloads.

=============================================================================================================================================
| # Title : Linux 5.8 to 6.9 Security scanning tool for Hugepage leak vulnerability detection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built?in component. No standalone download available. |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212396/ & CVE-2023-1206, CVE-2024-49882, CVE-2025-40040

[+] Summary : This C-based tool scans Linux systems for a potential Hugepage memory leak vulnerability referred to as CVE?2024?49882.
It checks whether the system supports memfd_create and HugeTLB, allocates a hugepage, and inspects its contents to see if any leftover data indicates a memory leak.
If container runtimes (e.g., Docker, containerd) are detected and the hugepage memory is not properly zeroed, the system may be vulnerable.
The tool outputs a full security assessment including severity level and recommended mitigation actions.

[+] POC : Security.c


#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#include <stdbool.h>
#include <stdint.h>

#define MFD_HUGETLB 0x0004U
#define MFD_ALLOW_SEALING 0x0002U
#define MFD_HUGE_2MB (21 << 26)
#define HUGEPAGE_SIZE (2*1024*1024)

typedef struct {
bool is_vulnerable;
const char *vulnerability_name;
const char *description;
const char *remediation;
int severity; // 1-10, where 10 is most severe
} SecurityReport;

void print_banner() {
printf("????????????????????????????????????????????????????????????????\n");
printf("? Hugepage Security Scanner Tool ?\n");
printf("? Detecting potential CVE-2024-49882 issues ?\n");
printf("????????????????????????????????????????????????????????????????\n\n");
}

void print_usage() {
printf("Usage: sudo ./hugepage_scanner [options]\n");
printf("Options:\n");
printf(" --test-only : Only test without detailed analysis\n");
printf(" --check-config : Check system configuration only\n");
printf(" --help : Show this help message\n\n");
}

bool check_memfd_support() {
printf("[*] Checking memfd_create support...\n");

// Test syscall 319 (memfd_create)
int memfd = syscall(319, "test", 0);
if (memfd < 0) {
if (errno == ENOSYS) {
printf("[-] System does not support memfd_create\n");
return false;
}
perror("memfd_create failed");
return false;
}

close(memfd);
printf("[+] System supports memfd_create\n");
return true;
}

bool check_hugetlb_support() {
printf("[*] Checking HugeTLB support...\n");

FILE *f = fopen("/sys/kernel/mm/hugepages/hugepages-2048kB/free_hugepages", "r");
if (!f) {
printf("[-] Cannot access hugepage information (might be protected)\n");
return false;
}

int free_hp = 0;
if (fscanf(f, "%d", &free_hp) == 1) {
printf("[+] Hugepages available: %d\n", free_hp);
}
fclose(f);

// Try to create a HugeTLB memfd
int memfd = syscall(319, "test", MFD_HUGETLB | MFD_HUGE_2MB);
if (memfd < 0) {
printf("[-] Cannot create HugeTLB memfd (might be security restriction)\n");
return false;
}

close(memfd);
printf("[+] System supports HugeTLB\n");
return true;
}

SecurityReport check_vulnerability() {
SecurityReport report = {
.is_vulnerable = false,
.vulnerability_name = "CVE-2024-49882 - Cross-container hugepage data leak",
.description = "Potential data leak through reused hugepages across containers",
.remediation = "Update kernel, enable memory zeroing, isolate container memory",
.severity = 7
};

printf("[*] Testing for CVE-2024-49882 vulnerability...\n");

// Check if we can access hugepage statistics
if (access("/sys/kernel/mm/hugepages", F_OK) == -1) {
printf("[+] Hugepage sysfs not accessible (good security practice)\n");
report.is_vulnerable = false;
return report;
}

// Check kernel version (simplified)
FILE *f = fopen("/proc/version", "r");
if (f) {
char version[256];
if (fgets(version, sizeof(version), f)) {
printf("[*] Kernel: %s", version);
}
fclose(f);
}

// Check if containers are running
bool containers_detected = false;
if (access("/run/containerd", F_OK) == 0 ||
access("/var/run/docker.sock", F_OK) == 0) {
containers_detected = true;
printf("[!] Container runtime detected\n");
}

// Test memory isolation
printf("[*] Testing memory isolation...\n");

// Try to allocate and check if we can access random memory
int memfd = syscall(319, "security_test", MFD_HUGETLB | MFD_HUGE_2MB);
if (memfd < 0) {
if (errno == EACCES || errno == EPERM) {
printf("[+] HugeTLB access restricted (good)\n");
report.is_vulnerable = false;
return report;
}
} else {
// Map and check content
void *addr = mmap(NULL, HUGEPAGE_SIZE, PROT_READ | PROT_WRITE,
MAP_SHARED, memfd, 0);
if (addr != MAP_FAILED) {
// Check if memory appears uninitialized
uint8_t *data = (uint8_t *)addr;
int non_zero_count = 0;
for (size_t i = 0; i < 4096; i += 64) { // Sample 64 points
if (data[i] != 0) non_zero_count++;
}

if (non_zero_count > 10) {
printf("[!] WARNING: Non-zero data found in fresh hugepage\n");
report.is_vulnerable = true;
report.severity = 8;
} else {
printf("[+] Memory appears properly zeroed\n");
}

munmap(addr, HUGEPAGE_SIZE);
}
close(memfd);
}

if (report.is_vulnerable && containers_detected) {
report.severity = 9; // Higher severity if containers are present
}

return report;
}

void check_system_configuration() {
printf("\n[*] Checking system configuration...\n");

// Check if memory zeroing is enabled
printf("[*] Checking memory zeroing settings...\n");

FILE *f = fopen("/proc/sys/vm/drop_caches", "r");
if (f) {
int value;
if (fscanf(f, "%d", &value) == 1) {
printf("[+] drop_caches value: %d\n", value);
}
fclose(f);
}

// Check kernel parameters
printf("[*] Checking kernel parameters...\n");
system("sysctl vm.nr_hugepages vm.nr_overcommit_hugepages 2>/dev/null");

// Check security modules
printf("[*] Checking security modules...\n");
if (access("/sys/kernel/security/apparmor", F_OK) == 0) {
printf("[+] AppArmor is active\n");
}
if (access("/sys/kernel/security/selinux", F_OK) == 0) {
printf("[+] SELinux is active\n");
}
}

void print_report(SecurityReport report) {
printf("\n??????????????????????????????????????????????????????????????\n");
printf("SECURITY ASSESSMENT REPORT\n");
printf("??????????????????????????????????????????????????????????????\n\n");

printf("Vulnerability: %s\n", report.vulnerability_name);
printf("Status: %s\n", report.is_vulnerable ? "POTENTIALLY VULNERABLE" : "LIKELY SAFE");
printf("Severity: %d/10\n", report.severity);
printf("\nDescription: %s\n", report.description);

if (report.is_vulnerable) {
printf("\n?? RECOMMENDED ACTIONS:\n");
printf("%s\n", report.remediation);
printf("1. Update to the latest kernel version\n");
printf("2. Ensure CONFIG_HUGETLBFS is properly configured\n");
printf("3. Implement container memory isolation\n");
printf("4. Enable memory zeroing on free\n");
printf("5. Monitor hugepage allocation patterns\n");
} else {
printf("\n? System appears properly configured\n");
}

printf("\n??????????????????????????????????????????????????????????????\n");
}

int main(int argc, char *argv[]) {
bool test_only = false;
bool check_config = false;

// Parse arguments
for (int i = 1; i < argc; i++) {
if (strcmp(argv[i], "--test-only") == 0) {
test_only = true;
} else if (strcmp(argv[i], "--check-config") == 0) {
check_config = true;
} else if (strcmp(argv[i], "--help") == 0) {
print_usage();
return 0;
}
}

print_banner();

if (geteuid() != 0) {
printf("?? Warning: Running without root privileges. Some checks may fail.\n");
printf(" Consider running with sudo for complete assessment.\n\n");
}

printf("[*] Starting security assessment...\n\n");

// Run checks
bool memfd_supported = check_memfd_support();
bool hugetlb_supported = check_hugetlb_support();

if (!memfd_supported || !hugetlb_supported) {
printf("\n[+] System appears to have mitigations in place\n");
SecurityReport safe_report = {
.is_vulnerable = false,
.vulnerability_name = "CVE-2024-49882",
.description = "System lacks vulnerable features or has them disabled",
.remediation = "Maintain current configuration",
.severity = 1
};
print_report(safe_report);
return 0;
}

if (!test_only) {
SecurityReport report = check_vulnerability();

if (check_config) {
check_system_configuration();
}

print_report(report);

// Additional recommendations
printf("\n? ADDITIONAL SECURITY RECOMMENDATIONS:\n");
printf(" 1. Regularly audit hugepage usage: grep -r huge /proc/*/maps\n");
printf(" 2. Monitor container lifecycle events\n");
printf(" 3. Implement memory auditing with auditd\n");
printf(" 4. Consider using memory encryption technologies\n");
printf(" 5. Limit hugepage allocation to trusted processes\n");

return report.is_vulnerable ? 1 : 0;
}

return 0;
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================