CVE-2022-48762

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48762
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48762.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48762
Downstream
Published
2024-06-20T11:13:39Z
Modified
2025-10-21T07:56:18.342213Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
arm64: extable: fix load_unaligned_zeropad() reg indices
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64: extable: fix loadunalignedzeropad() reg indices

In exhandlerloadunalignedzeropad() we erroneously extract the data and addr register indices from ex->type rather than ex->data. As ex->type will contain EXTYPELOADUNALIGNEDZEROPAD (i.e. 4): * We'll always treat X0 as the address register, since EXDATAREGADDR is extracted from bits [9:5]. Thus, we may attempt to dereference an arbitrary address as X0 may hold an arbitrary value. * We'll always treat X4 as the data register, since EXDATAREGDATA is extracted from bits [4:0]. Thus we will corrupt X4 and cause arbitrary behaviour within loadunalignedzeropad() and its caller.

Fix this by extracting both values from ex->data as originally intended.

On an MTE-enabled QEMU image we are hitting the following crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: fixupexception+0xc4/0x108 _dokernelfault+0x3c/0x268 dotagcheckfault+0x3c/0x104 domemabort+0x44/0xf4 el1abort+0x40/0x64 el1h64synchandler+0x60/0xa0 el1h64sync+0x7c/0x80 linkpathwalk+0x150/0x344 pathopenat+0xa0/0x7dc dofilpopen+0xb8/0x168 dosysopenat2+0x88/0x17c _arm64sysopenat+0x74/0xa0 invokesyscall+0x48/0x148 el0svccommon+0xb8/0xf8 doel0svc+0x28/0x88 el0svc+0x24/0x84 el0t64synchandler+0x88/0xec el0t64sync+0x1b4/0x1b8 Code: f8695a69 71007d1f 540000e0 927df12a (f940014a)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
753b32368705c396000f95f33c3b7018474e33ad
Fixed
47fe7a1c5e3e011eeb4ab79f2d54a794fdd1c3eb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
753b32368705c396000f95f33c3b7018474e33ad
Fixed
3758a6c74e08bdc15ccccd6872a6ad37d165239a

Affected versions

v5.*

v5.15
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.2
v5.16.3
v5.16.4
v5.17-rc1

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "id": "CVE-2022-48762-6a9b9c81",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3758a6c74e08bdc15ccccd6872a6ad37d165239a",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "96647499906623342329986722214997391482",
                "286857779839729442138962324043094094924",
                "194691071195638115608118837634287281781",
                "194179429082817677417613135908755786105",
                "306759470778083381557558715072694652476"
            ]
        },
        "target": {
            "file": "arch/arm64/mm/extable.c"
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-48762-720594ab",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@47fe7a1c5e3e011eeb4ab79f2d54a794fdd1c3eb",
        "digest": {
            "function_hash": "313843055720027627984695824255568354489",
            "length": 478.0
        },
        "target": {
            "function": "ex_handler_load_unaligned_zeropad",
            "file": "arch/arm64/mm/extable.c"
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-48762-afe35a5c",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@47fe7a1c5e3e011eeb4ab79f2d54a794fdd1c3eb",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "96647499906623342329986722214997391482",
                "286857779839729442138962324043094094924",
                "194691071195638115608118837634287281781",
                "194179429082817677417613135908755786105",
                "306759470778083381557558715072694652476"
            ]
        },
        "target": {
            "file": "arch/arm64/mm/extable.c"
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-48762-ec30e582",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3758a6c74e08bdc15ccccd6872a6ad37d165239a",
        "digest": {
            "function_hash": "313843055720027627984695824255568354489",
            "length": 478.0
        },
        "target": {
            "function": "ex_handler_load_unaligned_zeropad",
            "file": "arch/arm64/mm/extable.c"
        },
        "signature_type": "Function",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.5