Bug 2419847 (CVE-2022-50630) - CVE-2022-50630 kernel: mm: hugetlb: fix UAF in hugetlb_handle_userfault
Summary: CVE-2022-50630 kernel: mm: hugetlb: fix UAF in hugetlb_handle_userfault
Keywords:
Status: NEW
Alias: CVE-2022-50630
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-08 07:03 UTC by OSIDB Bzimport
Modified: 2025-12-17 20:29 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-08 07:03:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mm: hugetlb: fix UAF in hugetlb_handle_userfault

The vma_lock and hugetlb_fault_mutex are dropped before handling userfault
and reacquire them again after handle_userfault(), but reacquire the
vma_lock could lead to UAF[1,2] due to the following race,

hugetlb_fault
  hugetlb_no_page
    /*unlock vma_lock */
    hugetlb_handle_userfault
      handle_userfault
        /* unlock mm->mmap_lock*/
                                           vm_mmap_pgoff
                                             do_mmap
                                               mmap_region
                                                 munmap_vma_range
                                                   /* clean old vma */
        /* lock vma_lock again  <--- UAF */
    /* unlock vma_lock */

Since the vma_lock will unlock immediately after
hugetlb_handle_userfault(), let's drop the unneeded lock and unlock in
hugetlb_handle_userfault() to fix the issue.

[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/
[2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/
Comment 1 Alexander B 2025-12-10 10:26:08 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120854-CVE-2022-50630-3891@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.