CVE-2022-50675

Summary

In the Linux kernel, the following vulnerability has been resolved:

arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored

Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mte_sync_tags() was only called for pte_tagged() entries (those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently setting PG_mte_tagged on an untagged page.

The above commit was required as guests may enable MTE without any control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM. However, the side-effect was that any page with a PTE that looked like swap (or migration) was getting PG_mte_tagged set automatically. A subsequent page copy (e.g. migration) copied the tags to the destination page even if the tags were owned by KASAN.

This issue was masked by the page_kasan_tag_reset() call introduced in commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags"). When this commit was reverted (20794545c146), KASAN started reporting access faults because the overriding tags in a page did not match the original page->flags (with CONFIG_KASAN_HW_TAGS=y):

BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26 Read at addr f5ff000017f2e000 by task syz-executor.1/2218 Pointer tag: [f5], memory tag: [f2]

Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual place where tags are cleared (mte_sync_page_tags()) or restored (mte_restore_tags()).

Affected Software

VendorProductVersion RangeStatus
LinuxLinux69e3b846d8a753f9f279f29531ca56b0f7563ad0 < 918002bdbe4328c8c0164a22e8ebf2384b80dc23affected
LinuxLinux69e3b846d8a753f9f279f29531ca56b0f7563ad0 < 749e9fc18b1e1a3f93a9512e91bd7f93002d2821affected
LinuxLinux69e3b846d8a753f9f279f29531ca56b0f7563ad0 < a8e5e5146ad08d794c58252bab00b261045ef16daffected
LinuxLinux5.14affected
LinuxLinux0 < 5.14unaffected
LinuxLinux5.15.82 <= 5.15.*unaffected
LinuxLinux6.0.3 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References