Bug 2130141 (CVE-2022-39188) - CVE-2022-39188 Kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry
Summary: CVE-2022-39188 Kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP ...
Keywords:
Status: NEW
Alias: CVE-2022-39188
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2130164 2130165 2130166 2130167 2130158
Blocks: 2123792
TreeView+ depends on / blocked
 
Reported: 2022-09-27 10:13 UTC by Rohit Keshri
Modified: 2022-12-31 23:36 UTC (History)
51 users (show)

Fixed In Version: Kernel 5.19
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in include/asm-generic/tlb.h in the Linux kernel due to a race condition (unmap_mapping_range versus munmap). This issue allows a device driver to free a page while it still has stale TLB entries.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rohit Keshri 2022-09-27 10:13:33 UTC 
An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.

Refrence:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b67fbebd4cf980aecbcc750e1462128bffe8ae15
https://bugs.chromium.org/p/project-zero/issues/detail?id=2329
Comment 2 Rohit Keshri 2022-09-27 11:09:38 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2130158]
Comment 4 Justin M. Forbes 2022-09-28 16:26:02 UTC 
This was fixed for Fedora with the 5.19 kernel rebases.
Note You need to log in before you can comment on or make changes to this bug.