Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2022 / CVE-2022-49081.mbox
blob: ed96278e3e5f7411e42075e7ef59e225044098f9 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-49081: highmem: fix checks in __kmap_local_sched_{in,out}
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
highmem: fix checks in __kmap_local_sched_{in,out}
When CONFIG_DEBUG_KMAP_LOCAL is enabled __kmap_local_sched_{in,out} check
that even slots in the tsk->kmap_ctrl.pteval are unmapped. The slots are
initialized with 0 value, but the check is done with pte_none. 0 pte
however does not necessarily mean that pte_none will return true. e.g.
on xtensa it returns false, resulting in the following runtime warnings:
WARNING: CPU: 0 PID: 101 at mm/highmem.c:627 __kmap_local_sched_out+0x51/0x108
CPU: 0 PID: 101 Comm: touch Not tainted 5.17.0-rc7-00010-gd3a1cdde80d2-dirty #13
Call Trace:
dump_stack+0xc/0x40
__warn+0x8f/0x174
warn_slowpath_fmt+0x48/0xac
__kmap_local_sched_out+0x51/0x108
__schedule+0x71a/0x9c4
preempt_schedule_irq+0xa0/0xe0
common_exception_return+0x5c/0x93
do_wp_page+0x30e/0x330
handle_mm_fault+0xa70/0xc3c
do_page_fault+0x1d8/0x3c4
common_exception+0x7f/0x7f
WARNING: CPU: 0 PID: 101 at mm/highmem.c:664 __kmap_local_sched_in+0x50/0xe0
CPU: 0 PID: 101 Comm: touch Tainted: G W 5.17.0-rc7-00010-gd3a1cdde80d2-dirty #13
Call Trace:
dump_stack+0xc/0x40
__warn+0x8f/0x174
warn_slowpath_fmt+0x48/0xac
__kmap_local_sched_in+0x50/0xe0
finish_task_switch$isra$0+0x1ce/0x2f8
__schedule+0x86e/0x9c4
preempt_schedule_irq+0xa0/0xe0
common_exception_return+0x5c/0x93
do_wp_page+0x30e/0x330
handle_mm_fault+0xa70/0xc3c
do_page_fault+0x1d8/0x3c4
common_exception+0x7f/0x7f
Fix it by replacing !pte_none(pteval) with pte_val(pteval) != 0.
The Linux kernel CVE team has assigned CVE-2022-49081 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.15.34 with commit c21d040de6225414547d9bd31cd200f290991c85
Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.16.20 with commit 85550b0f5fa5dd3c30469ea702c44444ef242c83
Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.17.3 with commit 7dd5b3b97716a611fcf67d92fd2370fcb8d50372
Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.18 with commit 66f133ceab7456c789f70a242991ed1b27ba1c3d
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49081
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
mm/highmem.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c21d040de6225414547d9bd31cd200f290991c85
https://git.kernel.org/stable/c/85550b0f5fa5dd3c30469ea702c44444ef242c83
https://git.kernel.org/stable/c/7dd5b3b97716a611fcf67d92fd2370fcb8d50372
https://git.kernel.org/stable/c/66f133ceab7456c789f70a242991ed1b27ba1c3d