CVE-2022-48897

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-48897
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48897.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48897
Downstream
Published
2024-08-21T06:10:29.785Z
Modified
2026-03-11T00:54:11.845716Z
Summary
arm64/mm: fix incorrect file_map_count for invalid pmd
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64/mm: fix incorrect filemapcount for invalid pmd

The page table check trigger BUG_ON() unexpectedly when split hugepage:

------------[ cut here ]------------ kernel BUG at mm/pagetablecheck.c:119! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ #748 Hardware name: linux,dummy-virt (DT) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : pagetablecheckset.isra.0+0x398/0x468 lr : pagetablecheckset.isra.0+0x1c0/0x468 [...] Call trace: pagetablecheck_set.isra.0+0x398/0x468 __pagetablecheckpteset+0x160/0x1c0 __splithugepmd_locked+0x900/0x1648 __splithugepmd+0x28c/0x3b8 unmap_pagerange+0x428/0x858 unmapsinglevma+0xf4/0x1c8 zappagerange+0x2b0/0x410 madvisevmabehavior+0xc44/0xe78 domadvise+0x280/0x698 _arm64sysmadvise+0x90/0xe8 invokesyscall.constprop.0+0xdc/0x1d8 doel0svc+0xf4/0x3f8 el0svc+0x58/0x120 el0t64synchandler+0xb8/0xc0 el0t64sync+0x19c/0x1a0 [...]

On arm64, pmdleaf() will return true even if the pmd is invalid due to pmdpresentinvalid() check. So in pmdpinvalidate() the filemapcount will not only decrease once but also increase once. Then in setpteat(), the filemapcount increase again, and so trigger BUG_ON() unexpectedly.

Add !pmdpresentinvalid() check in pmduseraccessible_page() to fix the problem.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48897.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
42b2547137f5c974bb1bfd657c869fe96b96d86f
Fixed
21e5eca0ac9046da9918a919bc92b7b5a78d27e7
Fixed
74c2f81054510d45b813548cb0a1c4ebf87cdd5f

Affected versions

v5.*
v5.18
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.2-rc1

Database specific

vanir_signatures 
[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2022-48897-aae6e800",
        "target": {
            "file": "arch/arm64/include/asm/pgtable.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "103018055793085398549219050941122367207",
                "121902217310614962299391523459353346349",
                "234617898214254618583781033206033146374",
                "330382534119236508521481491714902273308"
            ]
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@21e5eca0ac9046da9918a919bc92b7b5a78d27e7"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48897.json"