cve/published/2022/CVE-2022-48991.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48991: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

 Any codepath that zaps page table entries must invoke MMU notifiers to
 ensure that secondary MMUs (like KVM) don't keep accessing pages which
 aren't mapped anymore.  Secondary MMUs don't hold their own references to
 pages that are mirrored over, so failing to notify them can lead to page
 use-after-free.

 I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
 ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
 the security impact of this only came in commit 27e1f8273113 ("khugepaged:
 enable collapse pmd for pte-mapped THP"), which actually omitted flushes
 for the removal of present PTEs, not just for the removal of empty page
 tables.

 The Linux kernel CVE team has assigned CVE-2022-48991 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 4.9.337 with commit 275c626c131cfe141beeb6c575e31fa53d32da19
 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 4.14.303 with commit c23105673228c349739e958fa33955ed8faddcaf
 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 4.19.270 with commit ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3
 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 5.4.227 with commit 5ffc2a75534d9d74d49760f983f8eb675fa63d69
 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 5.10.159 with commit 7f445ca2e0e59c7971d0b7b853465e50844ab596
 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 5.15.83 with commit 1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3
 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 6.0.13 with commit 5450535901d89a5dcca5fbbc59a24fe89caeb465
 	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 6.1 with commit f268f6cf875f3220afc77bdd0bf1bb136eb54db9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48991
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/khugepaged.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/275c626c131cfe141beeb6c575e31fa53d32da19
 	https://git.kernel.org/stable/c/c23105673228c349739e958fa33955ed8faddcaf
 	https://git.kernel.org/stable/c/ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3
 	https://git.kernel.org/stable/c/5ffc2a75534d9d74d49760f983f8eb675fa63d69
 	https://git.kernel.org/stable/c/7f445ca2e0e59c7971d0b7b853465e50844ab596
 	https://git.kernel.org/stable/c/1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3
 	https://git.kernel.org/stable/c/5450535901d89a5dcca5fbbc59a24fe89caeb465
 	https://git.kernel.org/stable/c/f268f6cf875f3220afc77bdd0bf1bb136eb54db9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48991: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

	Any codepath that zaps page table entries must invoke MMU notifiers to
	ensure that secondary MMUs (like KVM) don't keep accessing pages which
	aren't mapped anymore. Secondary MMUs don't hold their own references to
	pages that are mirrored over, so failing to notify them can lead to page
	use-after-free.

	I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
	("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
	the security impact of this only came in commit 27e1f8273113 ("khugepaged:
	enable collapse pmd for pte-mapped THP"), which actually omitted flushes
	for the removal of present PTEs, not just for the removal of empty page
	tables.

	The Linux kernel CVE team has assigned CVE-2022-48991 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 4.9.337 with commit 275c626c131cfe141beeb6c575e31fa53d32da19
	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 4.14.303 with commit c23105673228c349739e958fa33955ed8faddcaf
	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 4.19.270 with commit ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3
	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 5.4.227 with commit 5ffc2a75534d9d74d49760f983f8eb675fa63d69
	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 5.10.159 with commit 7f445ca2e0e59c7971d0b7b853465e50844ab596
	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 5.15.83 with commit 1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3
	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 6.0.13 with commit 5450535901d89a5dcca5fbbc59a24fe89caeb465
	Issue introduced in 4.8 with commit f3f0e1d2150b2b99da2cbdfaad000089efe9bf30 and fixed in 6.1 with commit f268f6cf875f3220afc77bdd0bf1bb136eb54db9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48991
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/khugepaged.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/275c626c131cfe141beeb6c575e31fa53d32da19
	https://git.kernel.org/stable/c/c23105673228c349739e958fa33955ed8faddcaf
	https://git.kernel.org/stable/c/ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3
	https://git.kernel.org/stable/c/5ffc2a75534d9d74d49760f983f8eb675fa63d69
	https://git.kernel.org/stable/c/7f445ca2e0e59c7971d0b7b853465e50844ab596
	https://git.kernel.org/stable/c/1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3
	https://git.kernel.org/stable/c/5450535901d89a5dcca5fbbc59a24fe89caeb465
	https://git.kernel.org/stable/c/f268f6cf875f3220afc77bdd0bf1bb136eb54db9