CVE-2022-48986

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/gup: fix gup_pud_range() for dax

For dax pud, pud_huge() returns true on x86. So the function works as long as hugetlb is configured. However, dax doesn't depend on hugetlb. Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as well.

This fixes the below kernel panic:

general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP < snip > Call Trace: <TASK> get_user_pages_fast+0x1f/0x40 iov_iter_get_pages+0xc6/0x3b0 ? mempool_alloc+0x5d/0x170 bio_iov_iter_get_pages+0x82/0x4e0 ? bvec_alloc+0x91/0xc0 ? bio_alloc_bioset+0x19a/0x2a0 blkdev_direct_IO+0x282/0x480 ? __io_complete_rw_common+0xc0/0xc0 ? filemap_range_has_page+0x82/0xc0 generic_file_direct_write+0x9d/0x1a0 ? inode_update_time+0x24/0x30 __generic_file_write_iter+0xbd/0x1e0 blkdev_write_iter+0xb4/0x150 ? io_import_iovec+0x8d/0x340 io_write+0xf9/0x300 io_issue_sqe+0x3c3/0x1d30 ? sysvec_reschedule_ipi+0x6c/0x80 __io_queue_sqe+0x33/0x240 ? fget+0x76/0xa0 io_submit_sqes+0xe6a/0x18d0 ? __fget_light+0xd1/0x100 __x64_sys_io_uring_enter+0x199/0x880 ? __context_tracking_enter+0x1f/0x70 ? irqentry_exit_to_user_mode+0x24/0x30 ? irqentry_exit+0x1d/0x30 ? __context_tracking_exit+0xe/0x70 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fc97c11a7be < snip > </TASK> —[ end trace 48b2e0e67debcaeb ]— RIP: 0010:internal_get_user_pages_fast+0x340/0x990 < snip > Kernel panic - not syncing: Fatal exception Kernel Offset: disabled

Affected Software

VendorProductVersion RangeStatus
LinuxLinux414fd080d125408cb15d04ff4907e1dd8145c8c7 < 04edfa3dc06ecfc6133a33bc7271298782dee875affected
LinuxLinux414fd080d125408cb15d04ff4907e1dd8145c8c7 < f1cf856123ceb766c49967ec79b841030fa1741faffected
LinuxLinux414fd080d125408cb15d04ff4907e1dd8145c8c7 < 3ac29732a2ffa64c7de13a072b0f2848b9c11037affected
LinuxLinux414fd080d125408cb15d04ff4907e1dd8145c8c7 < e06d13c36ded750c72521b600293befebb4e56c5affected
LinuxLinux414fd080d125408cb15d04ff4907e1dd8145c8c7 < fcd0ccd836ffad73d98a66f6fea7b16f735ea920affected
LinuxLinuxc133d8eb894cb280f331608c6f1962ba9fbfe6b0affected
LinuxLinux538162d21ac877b060dc057c89f13718f5caffc5affected
LinuxLinux8b1a7762e0dac5db42a003009fdcb425f10baa07affected
LinuxLinux4.9.165 < 4.10affected
LinuxLinux4.14.108 < 4.15affected
LinuxLinux4.19.31 < 4.20affected
LinuxLinux5.0affected
LinuxLinux0 < 5.0unaffected
LinuxLinux5.4.227 <= 5.4.*unaffected
LinuxLinux5.10.159 <= 5.10.*unaffected
LinuxLinux5.15.83 <= 5.15.*unaffected
LinuxLinux6.0.13 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References