Message-ID: <2025022657-CVE-2022-49081-7a0f@gregkh>
Date: Wed, 26 Feb 2025 02:54:46 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49081: highmem: fix checks in __kmap_local_sched_{in,out}

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

highmem: fix checks in __kmap_local_sched_{in,out}

When CONFIG_DEBUG_KMAP_LOCAL is enabled __kmap_local_sched_{in,out} check
that even slots in the tsk->kmap_ctrl.pteval are unmapped.  The slots are
initialized with 0 value, but the check is done with pte_none.  0 pte
however does not necessarily mean that pte_none will return true.  e.g.
on xtensa it returns false, resulting in the following runtime warnings:

 WARNING: CPU: 0 PID: 101 at mm/highmem.c:627 __kmap_local_sched_out+0x51/0x108
 CPU: 0 PID: 101 Comm: touch Not tainted 5.17.0-rc7-00010-gd3a1cdde80d2-dirty #13
 Call Trace:
   dump_stack+0xc/0x40
   __warn+0x8f/0x174
   warn_slowpath_fmt+0x48/0xac
   __kmap_local_sched_out+0x51/0x108
   __schedule+0x71a/0x9c4
   preempt_schedule_irq+0xa0/0xe0
   common_exception_return+0x5c/0x93
   do_wp_page+0x30e/0x330
   handle_mm_fault+0xa70/0xc3c
   do_page_fault+0x1d8/0x3c4
   common_exception+0x7f/0x7f

 WARNING: CPU: 0 PID: 101 at mm/highmem.c:664 __kmap_local_sched_in+0x50/0xe0
 CPU: 0 PID: 101 Comm: touch Tainted: G        W         5.17.0-rc7-00010-gd3a1cdde80d2-dirty #13
 Call Trace:
   dump_stack+0xc/0x40
   __warn+0x8f/0x174
   warn_slowpath_fmt+0x48/0xac
   __kmap_local_sched_in+0x50/0xe0
   finish_task_switch$isra$0+0x1ce/0x2f8
   __schedule+0x86e/0x9c4
   preempt_schedule_irq+0xa0/0xe0
   common_exception_return+0x5c/0x93
   do_wp_page+0x30e/0x330
   handle_mm_fault+0xa70/0xc3c
   do_page_fault+0x1d8/0x3c4
   common_exception+0x7f/0x7f

Fix it by replacing !pte_none(pteval) with pte_val(pteval) != 0.

The Linux kernel CVE team has assigned CVE-2022-49081 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.15.34 with commit c21d040de6225414547d9bd31cd200f290991c85
	Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.16.20 with commit 85550b0f5fa5dd3c30469ea702c44444ef242c83
	Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.17.3 with commit 7dd5b3b97716a611fcf67d92fd2370fcb8d50372
	Issue introduced in 5.11 with commit 5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 and fixed in 5.18 with commit 66f133ceab7456c789f70a242991ed1b27ba1c3d

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49081
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	mm/highmem.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c21d040de6225414547d9bd31cd200f290991c85
	https://git.kernel.org/stable/c/85550b0f5fa5dd3c30469ea702c44444ef242c83
	https://git.kernel.org/stable/c/7dd5b3b97716a611fcf67d92fd2370fcb8d50372
	https://git.kernel.org/stable/c/66f133ceab7456c789f70a242991ed1b27ba1c3d

Powered by blists - more mailing lists