2320713 – (CVE-2022-48991) CVE-2022-48991 kernel: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

Bug 2320713 (CVE-2022-48991) - CVE-2022-48991 kernel: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

Summary: CVE-2022-48991 kernel: mm/khugepaged: invoke MMU notifiers in shmem/file coll...

Keywords:
Status:	NEW
Alias:	CVE-2022-48991
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-21 21:04 UTC by OSIDB Bzimport
Modified:	2024-10-22 08:47 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-21 21:04:29 UTC

In the Linux kernel, the following vulnerability has been resolved:

mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

Any codepath that zaps page table entries must invoke MMU notifiers to
ensure that secondary MMUs (like KVM) don't keep accessing pages which
aren't mapped anymore.  Secondary MMUs don't hold their own references to
pages that are mirrored over, so failing to notify them can lead to page
use-after-free.

I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
the security impact of this only came in commit 27e1f8273113 ("khugepaged:
enable collapse pmd for pte-mapped THP"), which actually omitted flushes
for the removal of present PTEs, not just for the removal of empty page
tables.

Comment 1 Avinash Hanwate 2024-10-22 07:04:55 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102148-CVE-2022-48991-3987@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.