CVE-2022-49760 (GCVE-0-2022-49760)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix PTE marker handling in hugetlb_change_protection() Patch series "mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()". Playing with virtio-mem and background snapshots (using uffd-wp) on hugetlb in QEMU, I managed to trigger a VM_BUG_ON(). Looking into the details, hugetlb_change_protection() seems to not handle uffd-wp correctly in all cases. Patch #1 fixes my test case. I don't have reproducers for patch #2, as it requires running into migration entries. I did not yet check in detail yet if !hugetlb code requires similar care. This patch (of 2): There are two problematic cases when stumbling over a PTE marker in hugetlb_change_protection(): (1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will end up in the "!huge_pte_none(pte)" case and mess up the PTE marker. (2) We unprotect a uffd-wp PTE marker: we will similarly end up in the "!huge_pte_none(pte)" case even though we cleared the PTE, because the "pte" variable is stale. We'll mess up the PTE marker. For example, if we later stumble over such a "wrongly modified" PTE marker, we'll treat it like a present PTE that maps some garbage page. This can, for example, be triggered by mapping a memfd backed by huge pages, registering uffd-wp, uffd-wp'ing an unmapped page and (a) uffd-wp'ing it a second time; or (b) uffd-unprotecting it; or (c) unregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE) on that file range, we will run into a VM_BUG_ON: [ 195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 [ 195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff) [ 195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000 [ 195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 195.039569] page dumped because: VM_BUG_ON_PAGE(compound && !PageHead(page)) [ 195.039573] ------------[ cut here ]------------ [ 195.039574] kernel BUG at mm/rmap.c:1346! [ 195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1 [ 195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022 [ 195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550 [ 195.039588] Code: [...] [ 195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292 [ 195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000 [ 195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff [ 195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08 [ 195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0 [ 195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100 [ 195.039595] FS: 00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000 [ 195.039596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0 [ 195.039598] PKRU: 55555554 [ 195.039599] Call Trace: [ 195.039600] <TASK> [ 195.039602] __unmap_hugepage_range+0x33b/0x7d0 [ 195.039605] unmap_hugepage_range+0x55/0x70 [ 195.039608] hugetlb_vmdelete_list+0x77/0xa0 [ 195.039611] hugetlbfs_fallocate+0x410/0x550 [ 195.039612] ? _raw_spin_unlock_irqrestore+0x23/0x40 [ 195.039616] vfs_fallocate+0x12e/0x360 [ 195.039618] __x64_sys_fallocate+0x40/0x70 [ 195.039620] do_syscall_64+0x58/0x80 [ 195.039623] ? syscall_exit_to_user_mode+0x17/0x40 [ 195.039624] ? do_syscall_64+0x67/0x80 [ 195.039626] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 195.039628] RIP: 0033:0x7fc7b590651f [ 195.039653] Code: [...] [ 195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d [ 195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0e678153f5be7e6c8d28835f5a678618da4b7a9c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6062c992e912df1eedad52cf64efb3d48e8d35c5
Impacted products
Vendor Product Version
Linux Linux Version: 60dfaad65aa97fb6755b9798a6b3c9e79bcd5930
Version: 60dfaad65aa97fb6755b9798a6b3c9e79bcd5930
 Create a notification for this product.
   Linux Linux Version: 5.19
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6062c992e912df1eedad52cf64efb3d48e8d35c5",
              "status": "affected",
              "version": "60dfaad65aa97fb6755b9798a6b3c9e79bcd5930",
              "versionType": "git"
            },
            {
              "lessThan": "0e678153f5be7e6c8d28835f5a678618da4b7a9c",
              "status": "affected",
              "version": "60dfaad65aa97fb6755b9798a6b3c9e79bcd5930",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.8",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix PTE marker handling in hugetlb_change_protection()\n\nPatch series \"mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()\".\n\nPlaying with virtio-mem and background snapshots (using uffd-wp) on\nhugetlb in QEMU, I managed to trigger a VM_BUG_ON().  Looking into the\ndetails, hugetlb_change_protection() seems to not handle uffd-wp correctly\nin all cases.\n\nPatch #1 fixes my test case.  I don\u0027t have reproducers for patch #2, as it\nrequires running into migration entries.\n\nI did not yet check in detail yet if !hugetlb code requires similar care.\n\n\nThis patch (of 2):\n\nThere are two problematic cases when stumbling over a PTE marker in\nhugetlb_change_protection():\n\n(1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will\n    end up in the \"!huge_pte_none(pte)\" case and mess up the PTE marker.\n\n(2) We unprotect a uffd-wp PTE marker: we will similarly end up in the\n    \"!huge_pte_none(pte)\" case even though we cleared the PTE, because\n    the \"pte\" variable is stale. We\u0027ll mess up the PTE marker.\n\nFor example, if we later stumble over such a \"wrongly modified\" PTE marker,\nwe\u0027ll treat it like a present PTE that maps some garbage page.\n\nThis can, for example, be triggered by mapping a memfd backed by huge\npages, registering uffd-wp, uffd-wp\u0027ing an unmapped page and (a)\nuffd-wp\u0027ing it a second time; or (b) uffd-unprotecting it; or (c)\nunregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE)\non that file range, we will run into a VM_BUG_ON:\n\n[  195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0\n[  195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff)\n[  195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000\n[  195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[  195.039569] page dumped because: VM_BUG_ON_PAGE(compound \u0026\u0026 !PageHead(page))\n[  195.039573] ------------[ cut here ]------------\n[  195.039574] kernel BUG at mm/rmap.c:1346!\n[  195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[  195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1\n[  195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022\n[  195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550\n[  195.039588] Code: [...]\n[  195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292\n[  195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000\n[  195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff\n[  195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08\n[  195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0\n[  195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100\n[  195.039595] FS:  00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000\n[  195.039596] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0\n[  195.039598] PKRU: 55555554\n[  195.039599] Call Trace:\n[  195.039600]  \u003cTASK\u003e\n[  195.039602]  __unmap_hugepage_range+0x33b/0x7d0\n[  195.039605]  unmap_hugepage_range+0x55/0x70\n[  195.039608]  hugetlb_vmdelete_list+0x77/0xa0\n[  195.039611]  hugetlbfs_fallocate+0x410/0x550\n[  195.039612]  ? _raw_spin_unlock_irqrestore+0x23/0x40\n[  195.039616]  vfs_fallocate+0x12e/0x360\n[  195.039618]  __x64_sys_fallocate+0x40/0x70\n[  195.039620]  do_syscall_64+0x58/0x80\n[  195.039623]  ? syscall_exit_to_user_mode+0x17/0x40\n[  195.039624]  ? do_syscall_64+0x67/0x80\n[  195.039626]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  195.039628] RIP: 0033:0x7fc7b590651f\n[  195.039653] Code: [...]\n[  195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d\n[  195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:44:48.484Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6062c992e912df1eedad52cf64efb3d48e8d35c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e678153f5be7e6c8d28835f5a678618da4b7a9c"
        }
      ],
      "title": "mm/hugetlb: fix PTE marker handling in hugetlb_change_protection()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49760",
    "datePublished": "2025-03-27T16:43:07.001Z",
    "dateReserved": "2025-03-27T16:39:17.990Z",
    "dateUpdated": "2025-05-04T08:44:48.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49760\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-03-27T17:15:41.280\",\"lastModified\":\"2025-03-28T18:11:49.747\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/hugetlb: fix PTE marker handling in hugetlb_change_protection()\\n\\nPatch series \\\"mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()\\\".\\n\\nPlaying with virtio-mem and background snapshots (using uffd-wp) on\\nhugetlb in QEMU, I managed to trigger a VM_BUG_ON().  Looking into the\\ndetails, hugetlb_change_protection() seems to not handle uffd-wp correctly\\nin all cases.\\n\\nPatch #1 fixes my test case.  I don\u0027t have reproducers for patch #2, as it\\nrequires running into migration entries.\\n\\nI did not yet check in detail yet if !hugetlb code requires similar care.\\n\\n\\nThis patch (of 2):\\n\\nThere are two problematic cases when stumbling over a PTE marker in\\nhugetlb_change_protection():\\n\\n(1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will\\n    end up in the \\\"!huge_pte_none(pte)\\\" case and mess up the PTE marker.\\n\\n(2) We unprotect a uffd-wp PTE marker: we will similarly end up in the\\n    \\\"!huge_pte_none(pte)\\\" case even though we cleared the PTE, because\\n    the \\\"pte\\\" variable is stale. We\u0027ll mess up the PTE marker.\\n\\nFor example, if we later stumble over such a \\\"wrongly modified\\\" PTE marker,\\nwe\u0027ll treat it like a present PTE that maps some garbage page.\\n\\nThis can, for example, be triggered by mapping a memfd backed by huge\\npages, registering uffd-wp, uffd-wp\u0027ing an unmapped page and (a)\\nuffd-wp\u0027ing it a second time; or (b) uffd-unprotecting it; or (c)\\nunregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE)\\non that file range, we will run into a VM_BUG_ON:\\n\\n[  195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0\\n[  195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff)\\n[  195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000\\n[  195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\\n[  195.039569] page dumped because: VM_BUG_ON_PAGE(compound \u0026\u0026 !PageHead(page))\\n[  195.039573] ------------[ cut here ]------------\\n[  195.039574] kernel BUG at mm/rmap.c:1346!\\n[  195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\\n[  195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1\\n[  195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022\\n[  195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550\\n[  195.039588] Code: [...]\\n[  195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292\\n[  195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000\\n[  195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff\\n[  195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08\\n[  195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0\\n[  195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100\\n[  195.039595] FS:  00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000\\n[  195.039596] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0\\n[  195.039598] PKRU: 55555554\\n[  195.039599] Call Trace:\\n[  195.039600]  \u003cTASK\u003e\\n[  195.039602]  __unmap_hugepage_range+0x33b/0x7d0\\n[  195.039605]  unmap_hugepage_range+0x55/0x70\\n[  195.039608]  hugetlb_vmdelete_list+0x77/0xa0\\n[  195.039611]  hugetlbfs_fallocate+0x410/0x550\\n[  195.039612]  ? _raw_spin_unlock_irqrestore+0x23/0x40\\n[  195.039616]  vfs_fallocate+0x12e/0x360\\n[  195.039618]  __x64_sys_fallocate+0x40/0x70\\n[  195.039620]  do_syscall_64+0x58/0x80\\n[  195.039623]  ? syscall_exit_to_user_mode+0x17/0x40\\n[  195.039624]  ? do_syscall_64+0x67/0x80\\n[  195.039626]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n[  195.039628] RIP: 0033:0x7fc7b590651f\\n[  195.039653] Code: [...]\\n[  195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d\\n[  195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0e678153f5be7e6c8d28835f5a678618da4b7a9c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6062c992e912df1eedad52cf64efb3d48e8d35c5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.