fkie_cve-2022-49511
Vulnerability from fkie_nvd
Published
2025-02-26 07:01
Modified
2025-02-26 07:01
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: fix the pagelist corruption Easily hit the below list corruption: == list_add corruption. prev->next should be next (ffffffffc0ceb090), but was ffffec604507edc8. (prev=ffffec604507edc8). WARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26 __list_add_valid+0x53/0x80 CPU: 65 PID: 3959 Comm: fbdev Tainted: G U RIP: 0010:__list_add_valid+0x53/0x80 Call Trace: <TASK> fb_deferred_io_mkwrite+0xea/0x150 do_page_mkwrite+0x57/0xc0 do_wp_page+0x278/0x2f0 __handle_mm_fault+0xdc2/0x1590 handle_mm_fault+0xdd/0x2c0 do_user_addr_fault+0x1d3/0x650 exc_page_fault+0x77/0x180 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x7fd98fc8fad1 == Figure out the race happens when one process is adding &page->lru into the pagelist tail in fb_deferred_io_mkwrite(), another process is re-initializing the same &page->lru in fb_deferred_io_fault(), which is not protected by the lock. This fix is to init all the page lists one time during initialization, it not only fixes the list corruption, but also avoids INIT_LIST_HEAD() redundantly. V2: change "int i" to "unsigned int i" (Geert Uytterhoeven)
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6a9ae2fe887042f76fd3d334349e64e8ab3c55a2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/856082f021a28221db2c32bd0531614a8382be67
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e79b2b2aadeffe1db54a6b569b9b621575c3eb07
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: defio: fix the pagelist corruption\n\nEasily hit the below list corruption:\n==\nlist_add corruption. prev-\u003enext should be next (ffffffffc0ceb090), but\nwas ffffec604507edc8. (prev=ffffec604507edc8).\nWARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26\n__list_add_valid+0x53/0x80\nCPU: 65 PID: 3959 Comm: fbdev Tainted: G     U\nRIP: 0010:__list_add_valid+0x53/0x80\nCall Trace:\n \u003cTASK\u003e\n fb_deferred_io_mkwrite+0xea/0x150\n do_page_mkwrite+0x57/0xc0\n do_wp_page+0x278/0x2f0\n __handle_mm_fault+0xdc2/0x1590\n handle_mm_fault+0xdd/0x2c0\n do_user_addr_fault+0x1d3/0x650\n exc_page_fault+0x77/0x180\n ? asm_exc_page_fault+0x8/0x30\n asm_exc_page_fault+0x1e/0x30\nRIP: 0033:0x7fd98fc8fad1\n==\n\nFigure out the race happens when one process is adding \u0026page-\u003elru into\nthe pagelist tail in fb_deferred_io_mkwrite(), another process is\nre-initializing the same \u0026page-\u003elru in fb_deferred_io_fault(), which is\nnot protected by the lock.\n\nThis fix is to init all the page lists one time during initialization,\nit not only fixes the list corruption, but also avoids INIT_LIST_HEAD()\nredundantly.\n\nV2: change \"int i\" to \"unsigned int i\" (Geert Uytterhoeven)"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fbdev: defio: corrige la corrupci\u00f3n de la lista de p\u00e1ginas. F\u00e1cilmente se llega a la siguiente corrupci\u00f3n de lista: == list_add corruption. prev-\u0026gt;next should be next (ffffffffc0ceb090), but was ffffec604507edc8. (prev=ffffec604507edc8). WARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26 __list_add_valid+0x53/0x80 CPU: 65 PID: 3959 Comm: fbdev Tainted: G U RIP: 0010:__list_add_valid+0x53/0x80 Call Trace:  fb_deferred_io_mkwrite+0xea/0x150 do_page_mkwrite+0x57/0xc0 do_wp_page+0x278/0x2f0 __handle_mm_fault+0xdc2/0x1590 handle_mm_fault+0xdd/0x2c0 do_user_addr_fault+0x1d3/0x650 exc_page_fault+0x77/0x180 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x7fd98fc8fad1 == Averig\u00fce que la ejecuci\u00f3n ocurre cuando un proceso agrega \u0026amp;page-\u0026gt;lru a la cola de la lista de p\u00e1ginas en fb_deferred_io_mkwrite(), otro proceso est\u00e1 reinicializando la misma \u0026amp;page-\u0026gt;lru en fb_deferred_io_fault(), que no est\u00e1 protegida por el bloqueo. Esta soluci\u00f3n consiste en inicializar todas las listas de p\u00e1ginas una vez durante la inicializaci\u00f3n, no solo corrige la corrupci\u00f3n de la lista, sino que tambi\u00e9n evita que INIT_LIST_HEAD() se ejecute de manera redundante. V2: cambie \"int i\" por \"unsigned int i\" (Geert Uytterhoeven)"
    }
  ],
  "id": "CVE-2022-49511",
  "lastModified": "2025-02-26T07:01:27.193",
  "metrics": {},
  "published": "2025-02-26T07:01:27.193",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6a9ae2fe887042f76fd3d334349e64e8ab3c55a2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/856082f021a28221db2c32bd0531614a8382be67"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e79b2b2aadeffe1db54a6b569b9b621575c3eb07"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.