cve/published/2022/CVE-2022-49554.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49554: zsmalloc: fix races between asynchronous zspage free and page migration

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 zsmalloc: fix races between asynchronous zspage free and page migration

 The asynchronous zspage free worker tries to lock a zspage's entire page
 list without defending against page migration.  Since pages which haven't
 yet been locked can concurrently migrate off the zspage page list while
 lock_zspage() churns away, lock_zspage() can suffer from a few different
 lethal races.

 It can lock a page which no longer belongs to the zspage and unsafely
 dereference page_private(), it can unsafely dereference a torn pointer to
 the next page (since there's a data race), and it can observe a spurious
 NULL pointer to the next page and thus not lock all of the zspage's pages
 (since a single page migration will reconstruct the entire page list, and
 create_page_chain() unconditionally zeroes out each list pointer in the
 process).

 Fix the races by using migrate_read_lock() in lock_zspage() to synchronize
 with page migration.

 The Linux kernel CVE team has assigned CVE-2022-49554 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 4.14.282 with commit 3674d8a8dadd03a447dd21069d4dacfc3399b63b
 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 4.19.246 with commit 645996efc2ae391246d595832aaa6f9d3cc338c7
 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.4.197 with commit fc658c083904427abbf8f18280d517ee2668677c
 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.10.120 with commit fae05b2314b147a78fbed1dc4c645d9a66313758
 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.15.45 with commit 3ec459c8810e658401be428d3168eacfc380bdd0
 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.17.13 with commit 8ba7b7c1dad1f6503c541778f31b33f7f62eb966
 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.18.2 with commit c5402fb5f71f1a725f1e55d9c6799c0c7bec308f
 	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.19 with commit 2505a981114dcb715f8977b8433f7540854851d8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49554
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/zsmalloc.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b
 	https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7
 	https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c
 	https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758
 	https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0
 	https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966
 	https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f
 	https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49554: zsmalloc: fix races between asynchronous zspage free and page migration

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	zsmalloc: fix races between asynchronous zspage free and page migration

	The asynchronous zspage free worker tries to lock a zspage's entire page
	list without defending against page migration. Since pages which haven't
	yet been locked can concurrently migrate off the zspage page list while
	lock_zspage() churns away, lock_zspage() can suffer from a few different
	lethal races.

	It can lock a page which no longer belongs to the zspage and unsafely
	dereference page_private(), it can unsafely dereference a torn pointer to
	the next page (since there's a data race), and it can observe a spurious
	NULL pointer to the next page and thus not lock all of the zspage's pages
	(since a single page migration will reconstruct the entire page list, and
	create_page_chain() unconditionally zeroes out each list pointer in the
	process).

	Fix the races by using migrate_read_lock() in lock_zspage() to synchronize
	with page migration.

	The Linux kernel CVE team has assigned CVE-2022-49554 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 4.14.282 with commit 3674d8a8dadd03a447dd21069d4dacfc3399b63b
	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 4.19.246 with commit 645996efc2ae391246d595832aaa6f9d3cc338c7
	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.4.197 with commit fc658c083904427abbf8f18280d517ee2668677c
	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.10.120 with commit fae05b2314b147a78fbed1dc4c645d9a66313758
	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.15.45 with commit 3ec459c8810e658401be428d3168eacfc380bdd0
	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.17.13 with commit 8ba7b7c1dad1f6503c541778f31b33f7f62eb966
	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.18.2 with commit c5402fb5f71f1a725f1e55d9c6799c0c7bec308f
	Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.19 with commit 2505a981114dcb715f8977b8433f7540854851d8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49554
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/zsmalloc.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b
	https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7
	https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c
	https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758
	https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0
	https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966
	https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f
	https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8