FKIE_CVE-2022-49554

Vulnerability from fkie_nvd - Published: 2025-02-26 07:01 - Updated: 2025-10-22 17:33
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lock_zspage() churns away, lock_zspage() can suffer from a few different lethal races. It can lock a page which no longer belongs to the zspage and unsafely dereference page_private(), it can unsafely dereference a torn pointer to the next page (since there's a data race), and it can observe a spurious NULL pointer to the next page and thus not lock all of the zspage's pages (since a single page migration will reconstruct the entire page list, and create_page_chain() unconditionally zeroes out each list pointer in the process). Fix the races by using migrate_read_lock() in lock_zspage() to synchronize with page migration.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308fPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677cPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D697ED37-2BFA-4A75-9665-BBC0B0BE0FC1",
              "versionEndExcluding": "4.14.282",
              "versionStartIncluding": "4.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FEDF30DC-BB12-4C4C-A134-AA5D59D73C0C",
              "versionEndExcluding": "4.19.246",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7FDD830-741D-44F7-A537-13755A4314DE",
              "versionEndExcluding": "5.4.197",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92818976-ECCC-4744-9287-E2CF4B2C4131",
              "versionEndExcluding": "5.10.120",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08D699AD-F4CE-4BDD-A97E-4997299C7712",
              "versionEndExcluding": "5.15.45",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "192FC54B-5367-49D6-B410-0285F14665B1",
              "versionEndExcluding": "5.17.13",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FF255A1-64F4-4E31-AF44-C92FB8773BA2",
              "versionEndExcluding": "5.18.2",
              "versionStartIncluding": "5.18",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nzsmalloc: fix races between asynchronous zspage free and page migration\n\nThe asynchronous zspage free worker tries to lock a zspage\u0027s entire page\nlist without defending against page migration.  Since pages which haven\u0027t\nyet been locked can concurrently migrate off the zspage page list while\nlock_zspage() churns away, lock_zspage() can suffer from a few different\nlethal races.\n\nIt can lock a page which no longer belongs to the zspage and unsafely\ndereference page_private(), it can unsafely dereference a torn pointer to\nthe next page (since there\u0027s a data race), and it can observe a spurious\nNULL pointer to the next page and thus not lock all of the zspage\u0027s pages\n(since a single page migration will reconstruct the entire page list, and\ncreate_page_chain() unconditionally zeroes out each list pointer in the\nprocess).\n\nFix the races by using migrate_read_lock() in lock_zspage() to synchronize\nwith page migration."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: zsmalloc: arregla las ejecuciones entre la liberaci\u00f3n asincr\u00f3nica de zspage y la migraci\u00f3n de p\u00e1gina El trabajador de liberaci\u00f3n asincr\u00f3nica de zspage intenta bloquear la lista completa de p\u00e1ginas de una zspage sin defenderse contra la migraci\u00f3n de p\u00e1gina. Dado que las p\u00e1ginas que a\u00fan no se han bloqueado pueden migrar simult\u00e1neamente fuera de la lista de p\u00e1ginas de la zspage mientras lock_zspage() se procesa, lock_zspage() puede sufrir algunas ejecuciones letales diferentes. Puede bloquear una p\u00e1gina que ya no pertenece a la zspage y desreferenciar de forma insegura page_private(), puede desreferenciar de forma insegura un puntero roto a la siguiente p\u00e1gina (ya que hay una ejecuci\u00f3n de datos), y puede observar un puntero NULL espurio a la siguiente p\u00e1gina y, por lo tanto, no bloquear todas las p\u00e1ginas de la zspage (ya que una sola migraci\u00f3n de p\u00e1gina reconstruir\u00e1 la lista de p\u00e1ginas completa, y create_page_chain() pone a cero incondicionalmente cada puntero de lista en el proceso). Corrija las ejecuciones usando migrants_read_lock() en lock_zspage() para sincronizar con la migraci\u00f3n de p\u00e1gina."
    }
  ],
  "id": "CVE-2022-49554",
  "lastModified": "2025-10-22T17:33:36.960",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T07:01:31.223",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.