GHSA-8XXH-66CX-J9CJ
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-11-07 21:31In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
Any codepath that zaps page table entries must invoke MMU notifiers to ensure that secondary MMUs (like KVM) don't keep accessing pages which aren't mapped anymore. Secondary MMUs don't hold their own references to pages that are mirrored over, so failing to notify them can lead to page use-after-free.
I'm marking this as addressing an issue introduced in commit f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of the security impact of this only came in commit 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP"), which actually omitted flushes for the removal of present PTEs, not just for the removal of empty page tables.
{
"affected": [],
"aliases": [
"CVE-2022-48991"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: invoke MMU notifiers in shmem/file collapse paths\n\nAny codepath that zaps page table entries must invoke MMU notifiers to\nensure that secondary MMUs (like KVM) don\u0027t keep accessing pages which\naren\u0027t mapped anymore. Secondary MMUs don\u0027t hold their own references to\npages that are mirrored over, so failing to notify them can lead to page\nuse-after-free.\n\nI\u0027m marking this as addressing an issue introduced in commit f3f0e1d2150b\n(\"khugepaged: add support of collapse for tmpfs/shmem pages\"), but most of\nthe security impact of this only came in commit 27e1f8273113 (\"khugepaged:\nenable collapse pmd for pte-mapped THP\"), which actually omitted flushes\nfor the removal of present PTEs, not just for the removal of empty page\ntables.",
"id": "GHSA-8xxh-66cx-j9cj",
"modified": "2024-11-07T21:31:38Z",
"published": "2024-10-21T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48991"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/275c626c131cfe141beeb6c575e31fa53d32da19"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5450535901d89a5dcca5fbbc59a24fe89caeb465"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ffc2a75534d9d74d49760f983f8eb675fa63d69"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f445ca2e0e59c7971d0b7b853465e50844ab596"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c23105673228c349739e958fa33955ed8faddcaf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f268f6cf875f3220afc77bdd0bf1bb136eb54db9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ff2a1a6f869650aec99e9d070b5ab625bfbc5bc3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.