nvd-json-data-feeds/CVE-2022/CVE-2022-490xx/CVE-2022-49067.json

{
  "id": "CVE-2022-49067",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2025-02-26T07:00:43.927",
  "lastModified": "2025-02-26T07:00:43.927",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit\n\nmpe: On 64-bit Book3E vmalloc space starts at 0x8000000000000000.\n\nBecause of the way __pa() works we have:\n  __pa(0x8000000000000000) == 0, and therefore\n  virt_to_pfn(0x8000000000000000) == 0, and therefore\n  virt_addr_valid(0x8000000000000000) == true\n\nWhich is wrong, virt_addr_valid() should be false for vmalloc space.\nIn fact all vmalloc addresses that alias with a valid PFN will return\ntrue from virt_addr_valid(). That can cause bugs with hardened usercopy\nas described below by Kefeng Wang:\n\n  When running ethtool eth0 on 64-bit Book3E, a BUG occurred:\n\n    usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)!\n    kernel BUG at mm/usercopy.c:99\n    ...\n    usercopy_abort+0x64/0xa0 (unreliable)\n    __check_heap_object+0x168/0x190\n    __check_object_size+0x1a0/0x200\n    dev_ethtool+0x2494/0x2b20\n    dev_ioctl+0x5d0/0x770\n    sock_do_ioctl+0xf0/0x1d0\n    sock_ioctl+0x3ec/0x5a0\n    __se_sys_ioctl+0xf0/0x160\n    system_call_exception+0xfc/0x1f0\n    system_call_common+0xf8/0x200\n\n  The code shows below,\n\n    data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));\n    copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))\n\n  The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true\n  on 64-bit Book3E, which leads to the panic.\n\n  As commit 4dd7554a6456 (\"powerpc/64: Add VIRTUAL_BUG_ON checks for __va\n  and __pa addresses\") does, make sure the virt addr above PAGE_OFFSET in\n  the virt_addr_valid() for 64-bit, also add upper limit check to make\n  sure the virt is below high_memory.\n\n  Meanwhile, for 32-bit PAGE_OFFSET is the virtual address of the start\n  of lowmem, high_memory is the upper low virtual address, the check is\n  suitable for 32-bit, this will fix the issue mentioned in commit\n  602946ec2f90 (\"powerpc: Set max_mapnr correctly\") too.\n\nOn 32-bit there is a similar problem with high memory, that was fixed in\ncommit 602946ec2f90 (\"powerpc: Set max_mapnr correctly\"), but that\ncommit breaks highmem and needs to be reverted.\n\nWe can't easily fix __pa(), we have code that relies on its current\nbehaviour. So for now add extra checks to virt_addr_valid().\n\nFor 64-bit Book3S the extra checks are not necessary, the combination of\nvirt_to_pfn() and pfn_valid() should yield the correct result, but they\nare harmless.\n\n[mpe: Add additional change log detail]"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc: Arreglar virt_addr_valid() para Book3E de 64 bits y mpe de 32 bits: En Book3E de 64 bits, el espacio vmalloc comienza en 0x8000000000000000. Debido a la forma en que funciona __pa() tenemos: __pa(0x8000000000000000) == 0, y por lo tanto virt_to_pfn(0x8000000000000000) == 0, y por lo tanto virt_addr_valid(0x8000000000000000) == true Lo cual es incorrecto, virt_addr_valid() deber\u00eda ser falso para el espacio vmalloc. De hecho, todas las direcciones vmalloc que tengan un alias con un PFN v\u00e1lido devolver\u00e1n verdadero desde virt_addr_valid(). Esto puede causar errores con usercopy reforzado como lo describe a continuaci\u00f3n Kefeng Wang: Al ejecutar ethtool eth0 en Book3E de 64 bits, ocurri\u00f3 un ERROR: usercopy: \u00a1Intento de exposici\u00f3n de memoria del kernel detectado desde un objeto SLUB que no est\u00e1 en la p\u00e1gina SLUB! (desplazamiento 0, tama\u00f1o 1048). ERROR del kernel en mm/usercopy.c:99 ... usercopy_abort+0x64/0xa0 (no confiable) __check_heap_object+0x168/0x190 __check_object_size+0x1a0/0x200 dev_ethtool+0x2494/0x2b20 dev_ioctl+0x5d0/0x770 sock_do_ioctl+0xf0/0x1d0 sock_ioctl+0x3ec/0x5a0 __se_sys_ioctl+0xf0/0x160 system_call_exception+0xfc/0x1f0 system_call_common+0xf8/0x200 El c\u00f3digo se muestra a continuaci\u00f3n, data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN)); copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) Los datos se asignan mediante vmalloc(), virt_addr_valid(ptr) devolver\u00e1 verdadero en Book3E de 64 bits, lo que genera el p\u00e1nico. Como lo hace el commit 4dd7554a6456 (\"powerpc/64: Agregar comprobaciones VIRTUAL_BUG_ON para direcciones __va y __pa\"), aseg\u00farese de que la direcci\u00f3n virt sea superior a PAGE_OFFSET en virt_addr_valid() para 64 bits, y agregue tambi\u00e9n una comprobaci\u00f3n de l\u00edmite superior para asegurarse de que la direcci\u00f3n virt est\u00e9 por debajo de high_memory. Mientras tanto, para 32 bits PAGE_OFFSET es la direcci\u00f3n virtual del inicio de lowmem, high_memory es la direcci\u00f3n virtual baja superior, la comprobaci\u00f3n es adecuada para 32 bits, esto solucionar\u00e1 tambi\u00e9n el problema mencionado en el commit 602946ec2f90 (\"powerpc: Set max_mapnr properly\"). En 32 bits hay un problema similar con la memoria alta, que se solucion\u00f3 en el commit 602946ec2f90 (\"powerpc: Set max_mapnr properly\"), pero ese commit rompe highmem y necesita ser revertido. No podemos arreglar f\u00e1cilmente __pa(), tenemos c\u00f3digo que depende de su comportamiento actual. As\u00ed que por ahora agregue comprobaciones adicionales a virt_addr_valid(). Para Book3S de 64 bits las comprobaciones adicionales no son necesarias, la combinaci\u00f3n de virt_to_pfn() y pfn_valid() deber\u00eda producir el resultado correcto, pero son inofensivas. [mpe: Agregar detalles adicionales del registro de cambios]"
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/a3727c25eacd7e437c4f560957fa3a376fe93e6b",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/cbc065efcba000ad8f615f506ebe61b6d3c5145b",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/d36febbcd537fcc50284e8b89609632d0146529f",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/deab81144d5a043f42804207fb76cfbd8a806978",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/fddb88bd266f4513abab7c36bca98935c9148a98",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/ffa0b64e3be58519ae472ea29a1a1ad681e32f48",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}
Auto-Update: 2025-02-26T19:00:22.362560+00:00 2025-02-26 19:03:52 +00:00			`{`
			`"id": "CVE-2022-49067",`
			`"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",`
			`"published": "2025-02-26T07:00:43.927",`
			`"lastModified": "2025-02-26T07:00:43.927",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"vulnStatus": "Awaiting Analysis",`
Auto-Update: 2025-02-26T19:00:22.362560+00:00 2025-02-26 19:03:52 +00:00			`"cveTags": [],`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit\n\nmpe: On 64-bit Book3E vmalloc space starts at 0x8000000000000000.\n\nBecause of the way __pa() works we have:\n __pa(0x8000000000000000) == 0, and therefore\n virt_to_pfn(0x8000000000000000) == 0, and therefore\n virt_addr_valid(0x8000000000000000) == true\n\nWhich is wrong, virt_addr_valid() should be false for vmalloc space.\nIn fact all vmalloc addresses that alias with a valid PFN will return\ntrue from virt_addr_valid(). That can cause bugs with hardened usercopy\nas described below by Kefeng Wang:\n\n When running ethtool eth0 on 64-bit Book3E, a BUG occurred:\n\n usercopy: Kernel memory exposure attempt detected from SLUB object not in SLUB page?! (offset 0, size 1048)!\n kernel BUG at mm/usercopy.c:99\n ...\n usercopy_abort+0x64/0xa0 (unreliable)\n __check_heap_object+0x168/0x190\n __check_object_size+0x1a0/0x200\n dev_ethtool+0x2494/0x2b20\n dev_ioctl+0x5d0/0x770\n sock_do_ioctl+0xf0/0x1d0\n sock_ioctl+0x3ec/0x5a0\n __se_sys_ioctl+0xf0/0x160\n system_call_exception+0xfc/0x1f0\n system_call_common+0xf8/0x200\n\n The code shows below,\n\n data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));\n copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN))\n\n The data is alloced by vmalloc(), virt_addr_valid(ptr) will return true\n on 64-bit Book3E, which leads to the panic.\n\n As commit 4dd7554a6456 (\"powerpc/64: Add VIRTUAL_BUG_ON checks for __va\n and __pa addresses\") does, make sure the virt addr above PAGE_OFFSET in\n the virt_addr_valid() for 64-bit, also add upper limit check to make\n sure the virt is below high_memory.\n\n Meanwhile, for 32-bit PAGE_OFFSET is the virtual address of the start\n of lowmem, high_memory is the upper low virtual address, the check is\n suitable for 32-bit, this will fix the issue mentioned in commit\n 602946ec2f90 (\"powerpc: Set max_mapnr correctly\") too.\n\nOn 32-bit there is a similar problem with high memory, that was fixed in\ncommit 602946ec2f90 (\"powerpc: Set max_mapnr correctly\"), but that\ncommit breaks highmem and needs to be reverted.\n\nWe can't easily fix __pa(), we have code that relies on its current\nbehaviour. So for now add extra checks to virt_addr_valid().\n\nFor 64-bit Book3S the extra checks are not necessary, the combination of\nvirt_to_pfn() and pfn_valid() should yield the correct result, but they\nare harmless.\n\n[mpe: Add additional change log detail]"
Auto-Update: 2025-03-02T03:00:19.570958+00:00 2025-03-02 03:03:52 +00:00			`},`
			`{`
			`"lang": "es",`
			"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc: Arreglar virt_addr_valid() para Book3E de 64 bits y mpe de 32 bits: En Book3E de 64 bits, el espacio vmalloc comienza en 0x8000000000000000. Debido a la forma en que funciona __pa() tenemos: __pa(0x8000000000000000) == 0, y por lo tanto virt_to_pfn(0x8000000000000000) == 0, y por lo tanto virt_addr_valid(0x8000000000000000) == true Lo cual es incorrecto, virt_addr_valid() deber\u00eda ser falso para el espacio vmalloc. De hecho, todas las direcciones vmalloc que tengan un alias con un PFN v\u00e1lido devolver\u00e1n verdadero desde virt_addr_valid(). Esto puede causar errores con usercopy reforzado como lo describe a continuaci\u00f3n Kefeng Wang: Al ejecutar ethtool eth0 en Book3E de 64 bits, ocurri\u00f3 un ERROR: usercopy: \u00a1Intento de exposici\u00f3n de memoria del kernel detectado desde un objeto SLUB que no est\u00e1 en la p\u00e1gina SLUB! (desplazamiento 0, tama\u00f1o 1048). ERROR del kernel en mm/usercopy.c:99 ... usercopy_abort+0x64/0xa0 (no confiable) __check_heap_object+0x168/0x190 __check_object_size+0x1a0/0x200 dev_ethtool+0x2494/0x2b20 dev_ioctl+0x5d0/0x770 sock_do_ioctl+0xf0/0x1d0 sock_ioctl+0x3ec/0x5a0 __se_sys_ioctl+0xf0/0x160 system_call_exception+0xfc/0x1f0 system_call_common+0xf8/0x200 El c\u00f3digo se muestra a continuaci\u00f3n, data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN)); copy_to_user(useraddr, data, gstrings.len * ETH_GSTRING_LEN)) Los datos se asignan mediante vmalloc(), virt_addr_valid(ptr) devolver\u00e1 verdadero en Book3E de 64 bits, lo que genera el p\u00e1nico. Como lo hace el commit 4dd7554a6456 (\"powerpc/64: Agregar comprobaciones VIRTUAL_BUG_ON para direcciones __va y __pa\"), aseg\u00farese de que la direcci\u00f3n virt sea superior a PAGE_OFFSET en virt_addr_valid() para 64 bits, y agregue tambi\u00e9n una comprobaci\u00f3n de l\u00edmite superior para asegurarse de que la direcci\u00f3n virt est\u00e9 por debajo de high_memory. Mientras tanto, para 32 bits PAGE_OFFSET es la direcci\u00f3n virtual del inicio de lowmem, high_memory es la direcci\u00f3n virtual baja superior, la comprobaci\u00f3n es adecuada para 32 bits, esto solucionar\u00e1 tambi\u00e9n el problema mencionado en el commit 602946ec2f90 (\"powerpc: Set max_mapnr properly\"). En 32 bits hay un problema similar con la memoria alta, que se solucion\u00f3 en el commit 602946ec2f90 (\"powerpc: Set max_mapnr properly\"), pero ese commit rompe highmem y necesita ser revertido. No podemos arreglar f\u00e1cilmente __pa(), tenemos c\u00f3digo que depende de su comportamiento actual. As\u00ed que por ahora agregue comprobaciones adicionales a virt_addr_valid(). Para Book3S de 64 bits las comprobaciones adicionales no son necesarias, la combinaci\u00f3n de virt_to_pfn() y pfn_valid() deber\u00eda producir el resultado correcto, pero son inofensivas. [mpe: Agregar detalles adicionales del registro de cambios]"
Auto-Update: 2025-02-26T19:00:22.362560+00:00 2025-02-26 19:03:52 +00:00			`}`
			`],`
			`"metrics": {},`
			`"references": [`
			`{`
			`"url": "https://git.kernel.org/stable/c/a3727c25eacd7e437c4f560957fa3a376fe93e6b",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/cbc065efcba000ad8f615f506ebe61b6d3c5145b",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/d36febbcd537fcc50284e8b89609632d0146529f",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/deab81144d5a043f42804207fb76cfbd8a806978",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/fddb88bd266f4513abab7c36bca98935c9148a98",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/ffa0b64e3be58519ae472ea29a1a1ad681e32f48",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`}`
			`]`
			`}`