DEBIAN-CVE-2022-50675

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2022-50675

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50675.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-50675

Upstream

CVE-2022-50675

Published

2025-12-09T16:17:19.730Z

Modified

2025-12-10T11:16:22.682787Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Avoid setting PGmtetagged if no tags cleared or restored Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mtesynctags() was only called for ptetagged() entries (those mapped with PROTMTE). Therefore mtesynctags() could safely use testandsetbit(PGmtetagged, &page->flags) without inadvertently setting PGmtetagged on an untagged page. The above commit was required as guests may enable MTE without any control at the stage 2 mapping, nor a PROTMTE mapping in the VMM. However, the side-effect was that any page with a PTE that looked like swap (or migration) was getting PGmtetagged set automatically. A subsequent page copy (e.g. migration) copied the tags to the destination page even if the tags were owned by KASAN. This issue was masked by the pagekasantagreset() call introduced in commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags"). When this commit was reverted (20794545c146), KASAN started reporting access faults because the overriding tags in a page did not match the original page->flags (with CONFIGKASANHWTAGS=y): BUG: KASAN: invalid-access in copypage+0x10/0xd0 arch/arm64/lib/copypage.S:26 Read at addr f5ff000017f2e000 by task syz-executor.1/2218 Pointer tag: [f5], memory tag: [f2] Move the PGmtetagged bit setting from mtesynctags() to the actual place where tags are cleared (mtesyncpagetags()) or restored (mterestore_tags()).

References

https://security-tracker.debian.org/tracker/CVE-2022-50675

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50675.json"

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50675.json"

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-50675.json"