| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022616-CVE-2022-49554-bd02@gregkh> Date: Wed, 26 Feb 2025 03:13:48 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49554: zsmalloc: fix races between asynchronous zspage free and page migration Description =========== In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lock_zspage() churns away, lock_zspage() can suffer from a few different lethal races. It can lock a page which no longer belongs to the zspage and unsafely dereference page_private(), it can unsafely dereference a torn pointer to the next page (since there's a data race), and it can observe a spurious NULL pointer to the next page and thus not lock all of the zspage's pages (since a single page migration will reconstruct the entire page list, and create_page_chain() unconditionally zeroes out each list pointer in the process). Fix the races by using migrate_read_lock() in lock_zspage() to synchronize with page migration. The Linux kernel CVE team has assigned CVE-2022-49554 to this issue. Affected and fixed versions =========================== Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 4.14.282 with commit 3674d8a8dadd03a447dd21069d4dacfc3399b63b Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 4.19.246 with commit 645996efc2ae391246d595832aaa6f9d3cc338c7 Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.4.197 with commit fc658c083904427abbf8f18280d517ee2668677c Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.10.120 with commit fae05b2314b147a78fbed1dc4c645d9a66313758 Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.15.45 with commit 3ec459c8810e658401be428d3168eacfc380bdd0 Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.17.13 with commit 8ba7b7c1dad1f6503c541778f31b33f7f62eb966 Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.18.2 with commit c5402fb5f71f1a725f1e55d9c6799c0c7bec308f Issue introduced in 4.14 with commit 77ff465799c60294e248000cd22ae8171da3304c and fixed in 5.19 with commit 2505a981114dcb715f8977b8433f7540854851d8 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49554 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: mm/zsmalloc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7 https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758 https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0 https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966 https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8
Powered by blists - more mailing lists