CVE-2022-50014
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50014
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50014.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-50014
- Downstream
- Published
- 2025-06-18T11:01:18Z
- Modified
- 2025-10-13T23:30:49.375548Z
- Summary
- mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm/gup: fix FOLLFORCE COW security issue and remove FOLLCOW
Ever since the Dirty COW (CVE-2016-5195) security issue happened, we know that FOLL_FORCE can be possibly dangerous, especially if there are races that can be exploited by user space.
Right now, it would be sufficient to have some code that sets a PTE of a R/O-mapped shared page dirty, in order for it to erroneously become writable by FOLL_FORCE. The implications of setting a write-protected PTE dirty might not be immediately obvious to everyone.
And in fact ever since commit 9ae0f87d009c ("mm/shmem: unconditionally set pte dirty in mfillatomicinstallpte"), we can use UFFDIOCONTINUE to map a shmem page R/O while marking the pte dirty. This can be used by unprivileged user space to modify tmpfs/shmem file content even if the user does not have write permissions to the file, and to bypass memfd write sealing -- Dirty COW restricted to tmpfs/shmem (CVE-2022-2590).
To fix such security issues for good, the insight is that we really only need that fancy retry logic (FOLLCOW) for COW mappings that are not writable (!VMWRITE). And in a COW mapping, we really only broke COW if we have an exclusive anonymous page mapped. If we have something else mapped, or the mapped anonymous page might be shared (!PageAnonExclusive), we have to trigger a write fault to break COW. If we don't find an exclusive anonymous page when we retry, we have to trigger COW breaking once again because something intervened.
Let's move away from this mandatory-retry + dirty handling and rely on our PageAnonExclusive() flag for making a similar decision, to use the same COW logic as in other kernel parts here as well. In case we stumble over a PTE in a COW mapping that does not map an exclusive anonymous page, COW was not properly broken and we have to trigger a fake write-fault to break COW.
Just like we do in canchangeptewritable() added via commit 64fe24a3e05e ("mm/mprotect: try avoiding write faults for exclusive anonymous pages when changing protection") and commit 76aefad628aa ("mm/mprotect: fix soft-dirty check in canchangeptewritable()"), take care of softdirty and uffd-wp manually.
For example, a write() via /proc/self/mem to a uffd-wp-protected range has to fail instead of silently granting write access and bypassing the userspace fault handler. Note that FOLL_FORCE is not only used for debug access, but also triggered by applications without debug intentions, for example, when pinning pages via RDMA.
This fixes CVE-2022-2590. Note that only x8664 and aarch64 are affected, because only those support CONFIGHAVEARCHUSERFAULTFD_MINOR.
Fortunately, FOLLCOW is no longer required to handle FOLLFORCE. So let's just get rid of it.
Thanks to Nadav Amit for pointing out that the ptedirty() check in FOLLFORCE code is problematic and might be exploitable.
Note 1: We don't check for the PTE being dirty because it doesn't matter for making a "was COWed" decision anymore, and whoever modifies the page has to set the page dirty either way.
Note 2: Kernels before extended uffd-wp support and before PageAnonExclusive (< 5.19) can simply revert the problematic commit instead and be safe regarding UFFDIOCONTINUE. A backport to v5.19 requires minor adjustments due to lack of vmasoftdirtyenabled().
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9ae0f87d009ca6c4aab2882641ddfc319727e3dbFixed9def52eb10baab3b700858003d462fcf17d62873
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9ae0f87d009ca6c4aab2882641ddfc319727e3dbFixed5535be3099717646781ce1540cf725965d680e7b
Affected versions
v5.*
v6.*
Database specific
{
"vanir_signatures": [
{
"digest": {
"length": 175.0,
"function_hash": "22854469281736808529659055724496481259"
},
"target": {
"function": "can_follow_write_pte",
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-102bf8ce",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
},
{
"digest": {
"length": 989.0,
"function_hash": "316799384999483751258526228639932781606"
},
"target": {
"function": "faultin_page",
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-36f09ed0",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
},
{
"digest": {
"length": 956.0,
"function_hash": "144435052571464020581911568474958321581"
},
"target": {
"function": "follow_trans_huge_pmd",
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-3e475ac4",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"length": 947.0,
"function_hash": "78937328476111351072478944578081847915"
},
"target": {
"function": "follow_devmap_pmd",
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-5c637bfe",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"length": 175.0,
"function_hash": "22854469281736808529659055724496481259"
},
"target": {
"function": "can_follow_write_pte",
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-5f38e53f",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"length": 1115.0,
"function_hash": "276727314819272738163420899617813584389"
},
"target": {
"function": "faultin_page",
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-69445c7d",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"line_hashes": [
"174976490296946991246910277352102408256",
"244294158023364689983675256562614999810",
"80615053076251239769930300325208135444",
"57170684908740387172301021707914018345",
"257952295658745104923910458787775428265",
"278846859602014634913390169143373603383",
"179533537749381961794230495007146899963",
"123971699082962457328743659971703723177",
"126234889429678340260088926571144086949",
"39895346732473285779444074214115314009",
"153837415048613480974817182551577262533",
"107561519074879103079773383301045147965",
"91397221733370744533217883752828403663",
"323614764678457025973361166696496963480",
"332981330459333210722599862124965064075",
"20081314781442702259644363541696757683",
"224537575853359584977707555984648148681",
"149668715150627110703353406503917018649",
"210002914843261169212595534372852233155",
"331662836602927603140313123945088014899"
],
"threshold": 0.9
},
"target": {
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-8b7f3909",
"signature_type": "Line",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
},
{
"digest": {
"length": 2118.0,
"function_hash": "168524247367474127432923193229531955684"
},
"target": {
"function": "follow_page_pte",
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-9e04da16",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
},
{
"digest": {
"line_hashes": [
"79412745221160005243649799170004426503",
"192148575859867140085993380928507140994",
"131623320180681964312282584036303173413",
"1367747259092249212518435616138752260",
"98359811195614673096869388462222202566",
"136388917462111906150865725933513945475",
"237707147744413447061047142705619213354",
"172488912318125651845608753638689648510",
"71703894152171452744817867738910319369",
"14766279862144987663834380081429099604",
"64405655513103782727341669476966651083",
"54791403516707212577045490865151369359",
"310960507943342937915276222744275075233",
"99114978793801253171032983702966855428",
"181153380172662614981523219229418024155",
"176670266134300436768130334409790240399",
"250575977211973847142471082571232595731",
"5970548922824696263439599079765197497",
"6562337801657822686955445363951477708",
"78199350779953118650166891943382596980",
"311968350181825600786667165765118123339",
"11681490373971591749127038314140268238",
"83760054088139042984925951650688546540",
"196597376089096842609385664121304068575",
"104215026883742205781126967321098326109",
"334437295300919594886120355795129427296",
"93961609632192598726743783626187689411",
"33745241720232308476299815578672755006"
],
"threshold": 0.9
},
"target": {
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-a2b07354",
"signature_type": "Line",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"line_hashes": [
"174976490296946991246910277352102408256",
"244294158023364689983675256562614999810",
"80615053076251239769930300325208135444",
"57170684908740387172301021707914018345",
"257952295658745104923910458787775428265",
"278846859602014634913390169143373603383",
"179533537749381961794230495007146899963",
"123971699082962457328743659971703723177",
"126234889429678340260088926571144086949",
"39895346732473285779444074214115314009",
"153837415048613480974817182551577262533",
"107561519074879103079773383301045147965",
"91397221733370744533217883752828403663",
"323614764678457025973361166696496963480",
"332981330459333210722599862124965064075",
"20081314781442702259644363541696757683",
"224537575853359584977707555984648148681",
"149668715150627110703353406503917018649",
"210002914843261169212595534372852233155",
"331662836602927603140313123945088014899"
],
"threshold": 0.9
},
"target": {
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-b175a001",
"signature_type": "Line",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"length": 934.0,
"function_hash": "107399491038711295939140810598054092754"
},
"target": {
"function": "follow_devmap_pmd",
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-be33107b",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
},
{
"digest": {
"length": 175.0,
"function_hash": "22854469281736808529659055724496481259"
},
"target": {
"function": "can_follow_write_pmd",
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-c2ce73ad",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
},
{
"digest": {
"length": 175.0,
"function_hash": "22854469281736808529659055724496481259"
},
"target": {
"function": "can_follow_write_pmd",
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-c4af2d00",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"line_hashes": [
"79412745221160005243649799170004426503",
"192148575859867140085993380928507140994",
"131623320180681964312282584036303173413",
"1367747259092249212518435616138752260",
"98359811195614673096869388462222202566",
"136388917462111906150865725933513945475",
"237707147744413447061047142705619213354",
"172488912318125651845608753638689648510",
"71703894152171452744817867738910319369",
"14766279862144987663834380081429099604",
"64405655513103782727341669476966651083",
"54791403516707212577045490865151369359",
"310960507943342937915276222744275075233",
"99114978793801253171032983702966855428",
"181153380172662614981523219229418024155",
"176670266134300436768130334409790240399",
"250575977211973847142471082571232595731",
"5970548922824696263439599079765197497",
"6562337801657822686955445363951477708",
"78199350779953118650166891943382596980",
"311968350181825600786667165765118123339",
"11681490373971591749127038314140268238",
"83760054088139042984925951650688546540",
"196597376089096842609385664121304068575",
"155822898149341760258449120852205237268",
"334437295300919594886120355795129427296",
"93961609632192598726743783626187689411",
"33745241720232308476299815578672755006"
],
"threshold": 0.9
},
"target": {
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-e1b54547",
"signature_type": "Line",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
},
{
"digest": {
"length": 2118.0,
"function_hash": "168524247367474127432923193229531955684"
},
"target": {
"function": "follow_page_pte",
"file": "mm/gup.c"
},
"id": "CVE-2022-50014-eb77760a",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5535be3099717646781ce1540cf725965d680e7b",
"signature_version": "v1"
},
{
"digest": {
"length": 943.0,
"function_hash": "131903468624610667712095415984586799128"
},
"target": {
"function": "follow_trans_huge_pmd",
"file": "mm/huge_memory.c"
},
"id": "CVE-2022-50014-f1da664c",
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9def52eb10baab3b700858003d462fcf17d62873",
"signature_version": "v1"
}
]
}