CVE-2022-48762

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48762
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48762.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48762
Downstream
Published
2024-06-20T12:15:14Z
Modified
2025-03-24T18:17:02Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64: extable: fix loadunalignedzeropad() reg indices

In exhandlerloadunalignedzeropad() we erroneously extract the data and addr register indices from ex->type rather than ex->data. As ex->type will contain EXTYPELOADUNALIGNEDZEROPAD (i.e. 4): * We'll always treat X0 as the address register, since EXDATAREGADDR is extracted from bits [9:5]. Thus, we may attempt to dereference an arbitrary address as X0 may hold an arbitrary value. * We'll always treat X4 as the data register, since EXDATAREGDATA is extracted from bits [4:0]. Thus we will corrupt X4 and cause arbitrary behaviour within loadunalignedzeropad() and its caller.

Fix this by extracting both values from ex->data as originally intended.

On an MTE-enabled QEMU image we are hitting the following crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: fixupexception+0xc4/0x108 _dokernelfault+0x3c/0x268 dotagcheckfault+0x3c/0x104 domemabort+0x44/0xf4 el1abort+0x40/0x64 el1h64synchandler+0x60/0xa0 el1h64sync+0x7c/0x80 linkpathwalk+0x150/0x344 pathopenat+0xa0/0x7dc dofilpopen+0xb8/0x168 dosysopenat2+0x88/0x17c _arm64sysopenat+0x74/0xa0 invokesyscall+0x48/0x148 el0svccommon+0xb8/0xf8 doel0svc+0x28/0x88 el0svc+0x24/0x84 el0t64synchandler+0x88/0xec el0t64sync+0x1b4/0x1b8 Code: f8695a69 71007d1f 540000e0 927df12a (f940014a)

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}