CVE-2022-50675
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50675
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50675.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50675
- Downstream
- Published
- 2025-12-09T01:29:27.926Z
- Modified
- 2025-12-09T03:25:54.215837Z
- Summary
- arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
arm64: mte: Avoid setting PGmtetagged if no tags cleared or restored
Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mtesynctags() was only called for ptetagged() entries (those mapped with PROTMTE). Therefore mtesynctags() could safely use testandsetbit(PGmtetagged, &page->flags) without inadvertently setting PGmte_tagged on an untagged page.
The above commit was required as guests may enable MTE without any control at the stage 2 mapping, nor a PROTMTE mapping in the VMM. However, the side-effect was that any page with a PTE that looked like swap (or migration) was getting PGmte_tagged set automatically. A subsequent page copy (e.g. migration) copied the tags to the destination page even if the tags were owned by KASAN.
This issue was masked by the pagekasantagreset() call introduced in commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags"). When this commit was reverted (20794545c146), KASAN started reporting access faults because the overriding tags in a page did not match the original page->flags (with CONFIGKASANHWTAGS=y):
BUG: KASAN: invalid-access in copypage+0x10/0xd0 arch/arm64/lib/copypage.S:26 Read at addr f5ff000017f2e000 by task syz-executor.1/2218 Pointer tag: [f5], memory tag: [f2]
Move the PGmtetagged bit setting from mtesynctags() to the actual place where tags are cleared (mtesyncpagetags()) or restored (mterestore_tags()).
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50675.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/749e9fc18b1e1a3f93a9512e91bd7f93002d2821
- https://git.kernel.org/stable/c/918002bdbe4328c8c0164a22e8ebf2384b80dc23
- https://git.kernel.org/stable/c/a8e5e5146ad08d794c58252bab00b261045ef16d
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50675.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-50675
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced69e3b846d8a753f9f279f29531ca56b0f7563ad0Fixed918002bdbe4328c8c0164a22e8ebf2384b80dc23Fixed749e9fc18b1e1a3f93a9512e91bd7f93002d2821Fixeda8e5e5146ad08d794c58252bab00b261045ef16d