CVE-2022-48797

{"id": "CVE-2022-48797", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-16T12:15:04.360", "references": [{"url": "https://git.kernel.org/stable/c/254090925e16abd914c87b4ad1b489440d89c4c3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/80d47f5de5e311cbc0d01ebb6ee684e8f4c196c6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b3dc4b9d3ca68b370c4aeab5355007eedf948849", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d187eeb02d18446e5e54ed6bcbf8b47e6551daea", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/254090925e16abd914c87b4ad1b489440d89c4c3", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/80d47f5de5e311cbc0d01ebb6ee684e8f4c196c6", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/b3dc4b9d3ca68b370c4aeab5355007eedf948849", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/d187eeb02d18446e5e54ed6bcbf8b47e6551daea", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: don't try to NUMA-migrate COW pages that have other uses\n\nOded Gabbay reports that enabling NUMA balancing causes corruption with\nhis Gaudi accelerator test load:\n\n \"All the details are in the bug, but the bottom line is that somehow,\n this patch causes corruption when the numa balancing feature is\n enabled AND we don't use process affinity AND we use GUP to pin pages\n so our accelerator can DMA to/from system memory.\n\n Either disabling numa balancing, using process affinity to bind to\n specific numa-node or reverting this patch causes the bug to\n disappear\"\n\nand Oded bisected the issue to commit 09854ba94c6a (\"mm: do_wp_page()\nsimplification\").\n\nNow, the NUMA balancing shouldn't actually be changing the writability\nof a page, and as such shouldn't matter for COW. But it appears it\ndoes. Suspicious.\n\nHowever, regardless of that, the condition for enabling NUMA faults in\nchange_pte_range() is nonsensical. It uses \"page_mapcount(page)\" to\ndecide if a COW page should be NUMA-protected or not, and that makes\nabsolutely no sense.\n\nThe number of mappings a page has is irrelevant: not only does GUP get a\nreference to a page as in Oded's case, but the other mappings migth be\npaged out and the only reference to them would be in the page count.\n\nSince we should never try to NUMA-balance a page that we can't move\nanyway due to other references, just fix the code to use 'page_count()'.\nOded confirms that that fixes his issue.\n\nNow, this does imply that something in NUMA balancing ends up changing\npage protections (other than the obvious one of making the page\ninaccessible to get the NUMA faulting information). Otherwise the COW\nsimplification wouldn't matter - since doing the GUP on the page would\nmake sure it's writable.\n\nThe cause of that permission change would be good to figure out too,\nsince it clearly results in spurious COW events - but fixing the\nnonsensical test that just happened to work before is obviously the\nCorrectThing(tm) to do regardless."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: no intente migrar p\u00e1ginas COW con NUMA que tengan otros usos Oded Gabbay informa que habilitar el equilibrio de NUMA causa corrupci\u00f3n en la carga de prueba del acelerador Gaud\u00ed: \"Todos los detalles est\u00e1n en el error, pero la conclusi\u00f3n es que de alguna manera, este parche causa corrupci\u00f3n cuando la funci\u00f3n de equilibrio numa est\u00e1 habilitada Y no usamos la afinidad de procesos Y usamos GUP para anclar p\u00e1ginas para que nuestro acelerador pueda DMA hacia/desde la memoria del sistema, ya sea deshabilitando. El equilibrio de numa, el uso de la afinidad del proceso para vincularse a un nodo numa espec\u00edfico o revertir este parche hace que el error desaparezca\" y Oded dividi\u00f3 el problema en dos para el commit 09854ba94c6a (\"mm: simplificaci\u00f3n de do_wp_page()\"). Ahora bien, el equilibrio NUMA en realidad no deber\u00eda cambiar la capacidad de escritura de una p\u00e1gina y, como tal, no deber\u00eda importarle a COW. Pero parece que s\u00ed. Sospechoso. Sin embargo, independientemente de eso, la condici\u00f3n para habilitar fallas NUMA en change_pte_range() no tiene sentido. Utiliza \"page_mapcount(page)\" para decidir si una p\u00e1gina COW debe estar protegida por NUMA o no, y eso no tiene ning\u00fan sentido. El n\u00famero de asignaciones que tiene una p\u00e1gina es irrelevante: GUP no solo obtiene una referencia a una p\u00e1gina como en el caso de Oded, sino que las otras asignaciones podr\u00edan eliminarse y la \u00fanica referencia a ellas estar\u00eda en el recuento de p\u00e1ginas. Dado que nunca debemos intentar equilibrar NUMA una p\u00e1gina que no podemos mover de todos modos debido a otras referencias, simplemente corrija el c\u00f3digo para usar 'page_count()'. Oded confirma que eso soluciona su problema. Ahora bien, esto implica que algo en el equilibrio de NUMA termina cambiando las protecciones de la p\u00e1gina (aparte de la obvia de hacer que la p\u00e1gina sea inaccesible para obtener la informaci\u00f3n de fallas de NUMA). De lo contrario, la simplificaci\u00f3n de COW no importar\u00eda, ya que hacer el GUP en la p\u00e1gina garantizar\u00eda que se pueda escribir. Tambi\u00e9n ser\u00eda bueno descubrir la causa de ese cambio de permiso, ya que claramente da como resultado eventos COW falsos, pero arreglar la prueba sin sentido que funcion\u00f3 antes es obviamente lo CorrectThing(tm) que se debe hacer de todos modos."}], "lastModified": "2025-10-03T14:06:07.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13A085E8-1076-475D-9849-197EAFB230D9", "versionEndExcluding": "5.10.102", "versionStartIncluding": "5.9.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D098AA16-8E21-4EB7-AE2F-1EEB58E1A3A3", "versionEndExcluding": "5.15.25", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D327234-5D4A-43DC-A6DF-BCA0CEBEC039", "versionEndExcluding": "5.16.11", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F79A2EB6-623E-4749-AEE0-DCB58C4C42F8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12019CF2-FD8E-4D59-BA4C-7093DF0BB091"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B1AB90E-C0C6-4027-B27D-BA214BE33561"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "103FE5BA-7315-4263-9C95-EABEAD7E174F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47E31D6A-31EC-4F63-9CAE-B7A52B58E149"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.9:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3497462B-A3DA-47CC-A5DD-C1C2D2E6DFDE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2D2677C-5389-4AE9-869D-0F881E80D923"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}