fkie_cve-2022-48802
Vulnerability from fkie_nvd
Published
2024-07-16 12:15
Modified
2024-11-21 07:34
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: fs/proc: task_mmu.c: don't read mapcount for migration entry The syzbot reported the below BUG: kernel BUG at include/linux/page-flags.h:785! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline] RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744 Call Trace: page_mapcount include/linux/mm.h:837 [inline] smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466 smaps_pte_entry fs/proc/task_mmu.c:538 [inline] smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601 walk_pmd_range mm/pagewalk.c:128 [inline] walk_pud_range mm/pagewalk.c:205 [inline] walk_p4d_range mm/pagewalk.c:240 [inline] walk_pgd_range mm/pagewalk.c:277 [inline] __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379 walk_page_vma+0x277/0x350 mm/pagewalk.c:530 smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768 smap_gather_stats fs/proc/task_mmu.c:741 [inline] show_smap+0xc6/0x440 fs/proc/task_mmu.c:822 seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272 seq_read+0x3e0/0x5b0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The reproducer was trying to read /proc/$PID/smaps when calling MADV_FREE at the mean time. MADV_FREE may split THPs if it is called for partial THP. It may trigger the below race: CPU A CPU B ----- ----- smaps walk: MADV_FREE: page_mapcount() PageCompound() split_huge_page() page = compound_head(page) PageDoubleMap(page) When calling PageDoubleMap() this page is not a tail page of THP anymore so the BUG is triggered. This could be fixed by elevated refcount of the page before calling mapcount, but that would prevent it from counting migration entries, and it seems overkilling because the race just could happen when PMD is split so all PTE entries of tail pages are actually migration entries, and smaps_account() does treat migration entries as mapcount == 1 as Kirill pointed out. Add a new parameter for smaps_account() to tell this entry is migration entry then skip calling page_mapcount(). Don't skip getting mapcount for device private entries since they do track references with mapcount. Pagemap also has the similar issue although it was not reported. Fixed it as well. [shy828301@gmail.com: v4] Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com [nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()] Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/05d3f8045efa59457b323caf00bdb9273b7962fa
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/24d7275ce2791829953ed4e72f68277ceb2571c6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a8dd0cfa37792863b6c4bf9542975212a6715d49
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/db3f3636e4aed2cba3e4e7897a053323f7a62249
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/05d3f8045efa59457b323caf00bdb9273b7962fa
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/24d7275ce2791829953ed4e72f68277ceb2571c6
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/a8dd0cfa37792863b6c4bf9542975212a6715d49
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/db3f3636e4aed2cba3e4e7897a053323f7a62249
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: task_mmu.c: don\u0027t read mapcount for migration entry\n\nThe syzbot reported the below BUG:\n\n  kernel BUG at include/linux/page-flags.h:785!\n  invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n  CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n  RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline]\n  RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744\n  Call Trace:\n    page_mapcount include/linux/mm.h:837 [inline]\n    smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466\n    smaps_pte_entry fs/proc/task_mmu.c:538 [inline]\n    smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601\n    walk_pmd_range mm/pagewalk.c:128 [inline]\n    walk_pud_range mm/pagewalk.c:205 [inline]\n    walk_p4d_range mm/pagewalk.c:240 [inline]\n    walk_pgd_range mm/pagewalk.c:277 [inline]\n    __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379\n    walk_page_vma+0x277/0x350 mm/pagewalk.c:530\n    smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768\n    smap_gather_stats fs/proc/task_mmu.c:741 [inline]\n    show_smap+0xc6/0x440 fs/proc/task_mmu.c:822\n    seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272\n    seq_read+0x3e0/0x5b0 fs/seq_file.c:162\n    vfs_read+0x1b5/0x600 fs/read_write.c:479\n    ksys_read+0x12d/0x250 fs/read_write.c:619\n    do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n    do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n    entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe reproducer was trying to read /proc/$PID/smaps when calling\nMADV_FREE at the mean time.  MADV_FREE may split THPs if it is called\nfor partial THP.  It may trigger the below race:\n\n           CPU A                         CPU B\n           -----                         -----\n  smaps walk:                      MADV_FREE:\n  page_mapcount()\n    PageCompound()\n                                   split_huge_page()\n    page = compound_head(page)\n    PageDoubleMap(page)\n\nWhen calling PageDoubleMap() this page is not a tail page of THP anymore\nso the BUG is triggered.\n\nThis could be fixed by elevated refcount of the page before calling\nmapcount, but that would prevent it from counting migration entries, and\nit seems overkilling because the race just could happen when PMD is\nsplit so all PTE entries of tail pages are actually migration entries,\nand smaps_account() does treat migration entries as mapcount == 1 as\nKirill pointed out.\n\nAdd a new parameter for smaps_account() to tell this entry is migration\nentry then skip calling page_mapcount().  Don\u0027t skip getting mapcount\nfor device private entries since they do track references with mapcount.\n\nPagemap also has the similar issue although it was not reported.  Fixed\nit as well.\n\n[shy828301@gmail.com: v4]\n  Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com\n[nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()]\n  Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: fs/proc: task_mmu.c: no lea el recuento de mapas para la entrada de migraci\u00f3n. El syzbot inform\u00f3 el siguiente ERROR: ERROR del kernel en include/linux/page-flags.h:785. c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01 /2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [en l\u00ednea] RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744 Seguimiento de llamadas: page_mapcount include/linux/mm.h:837 [en l\u00ednea] smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466 smaps_pte_entry fs/proc/task_mmu.c:538 [en l\u00ednea] smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601 walk_pmd_range mm/pagewalk.c :128 [en l\u00ednea] walk_pud_range mm/pagewalk.c:205 [en l\u00ednea] walk_p4d_range mm/pagewalk.c:240 [en l\u00ednea] walk_pgd_range mm/pagewalk.c:277 [en l\u00ednea] __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379 walk_page_vma+0x277/0x350 mm/pagewalk.c:530 smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768 smap_gather_stats fs/proc/task_mmu.c:741 [en l\u00ednea] show_smap+0xc6/0x440 fs/ proc/task_mmu.c:822 seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272 seq_read+0x3e0/0x5b0 fs/seq_file.c:162 vfs_read+0x1b5/0x600 fs/read_write.c:479 ksys_read+0x12d/0x250 f s/ read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae El reproductor estaba intentando leer /proc/ $PID/smaps al llamar a MADV_FREE mientras tanto. MADV_FREE puede dividir THP si se solicita para THP parcial. Puede desencadenar la siguiente ejecuci\u00f3n: CPU A CPU B ----- ----- smaps walk: MADV_FREE: page_mapcount() PageCompound() split_huge_page() p\u00e1gina = composite_head(page) PageDoubleMap(page) Al llamar a PageDoubleMap() Esta p\u00e1gina ya no es una p\u00e1gina final de THP, por lo que se activa el ERROR. Esto podr\u00eda solucionarse mediante un recuento elevado de la p\u00e1gina antes de llamar a mapcount, pero eso evitar\u00eda que cuente las entradas de migraci\u00f3n, y parece excesivo porque la ejecuci\u00f3n podr\u00eda ocurrir cuando PMD se divide, por lo que todas las entradas PTE de las p\u00e1ginas finales son en realidad entradas de migraci\u00f3n. y smaps_account() trata las entradas de migraci\u00f3n como mapcount == 1 como se\u00f1al\u00f3 Kirill. Agregue un nuevo par\u00e1metro para smaps_account() para indicar que esta entrada es una entrada de migraci\u00f3n y luego omita llamar a page_mapcount(). No deje de obtener mapcount para entradas privadas de dispositivos, ya que rastrean referencias con mapcount. Pagemap tambi\u00e9n tiene un problema similar, aunque no se inform\u00f3. Lo arregl\u00e9 tambi\u00e9n. [shy828301@gmail.com: v4] Enlace: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com [nathan@kernel.org: evitar advertencia de variable no utilizada en pagemap_pmd_range()] Enlace: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org"
    }
  ],
  "id": "CVE-2022-48802",
  "lastModified": "2024-11-21T07:34:07.003",
  "metrics": {},
  "published": "2024-07-16T12:15:04.690",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/05d3f8045efa59457b323caf00bdb9273b7962fa"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/24d7275ce2791829953ed4e72f68277ceb2571c6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a8dd0cfa37792863b6c4bf9542975212a6715d49"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/db3f3636e4aed2cba3e4e7897a053323f7a62249"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/05d3f8045efa59457b323caf00bdb9273b7962fa"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/24d7275ce2791829953ed4e72f68277ceb2571c6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/a8dd0cfa37792863b6c4bf9542975212a6715d49"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/db3f3636e4aed2cba3e4e7897a053323f7a62249"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.