CVE-2022-50232

[ This issue was fixed upstream by accident in c3cee924bd85 ("arm64: head: cover entire kernel image in initial ID map") as part of a large refactoring of the arm64 boot flow. This simple fix is therefore preferred for -stable backporting ]

On a system that implements FEATEPAN, read/write access to the idmap is denied because UXN is not set on the swapper PTEs. As a result, idmapkptiinstallngmappings panics the kernel when accessing _idmapkptiflag. Fix it by setting UXN on these PTEs.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50232.json"
}

References

Affected packages

Git

git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

18107f8a2df6bf1c6cac8d0713f757f866d5af51

Fixed

775871d4be0d75e219cca937af843a4a1b60489a

Fixed

c3cee924bd855184d15bc4aa6088dcf8e2c1394c

Affected versions

v5.*

v5.12

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.33

v5.15.34

v5.15.35

v5.15.36

v5.15.37

v5.15.38

v5.15.39

v5.15.4

v5.15.40

v5.15.41

v5.15.42

v5.15.43

v5.15.44

v5.15.45

v5.15.46

v5.15.47

v5.15.48

v5.15.49

v5.15.5

v5.15.50

v5.15.51

v5.15.52

v5.15.53

v5.15.54

v5.15.55

v5.15.56

v5.15.57

v5.15.58

v5.15.59

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19-rc1

v5.19-rc2

v5.19-rc3

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-50232-38538c76",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3cee924bd855184d15bc4aa6088dcf8e2c1394c",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "function_hash": "82330200697673335372597973066776512225",
            "length": 426.0
        },
        "target": {
            "function": "paging_init",
            "file": "arch/arm64/mm/mmu.c"
        }
    },
    {
        "id": "CVE-2022-50232-790e998f",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3cee924bd855184d15bc4aa6088dcf8e2c1394c",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "34028416160447483806562655426375619884",
                "190388467713600494622170557177536062951",
                "227617969726944583763367795325012702099",
                "187820742443352735330060647117127422275",
                "290769937157585924455781113617212255631",
                "90484158722437318461048618202179289178",
                "18897070344871461206673163287671936908",
                "77815837401738578080405817767593518597",
                "6793914066014216538223593355057246032",
                "171063294696719585450134581695722801252",
                "270096704480498375689434467625264803671",
                "39384581313273946389704356714930359713",
                "232027824551155305080313411277133577849",
                "57854298232146873278227890625531748900"
            ]
        },
        "target": {
            "file": "arch/arm64/mm/mmu.c"
        }
    },
    {
        "id": "CVE-2022-50232-e1095a00",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c3cee924bd855184d15bc4aa6088dcf8e2c1394c",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "327892130325109029480489297356604233283",
                "71734388821128010166035172852462043457",
                "320215778404595278949868419242003230701",
                "115584937378444169183098770577973031319",
                "324723549656773592822040310492005512954",
                "270638501489813482845755054250527356689",
                "214970271167890379189281136852339058027",
                "327892130325109029480489297356604233283",
                "71734388821128010166035172852462043457",
                "233557843046479140734566775282309524309",
                "319358207898728010128483523687495315903"
            ]
        },
        "target": {
            "file": "arch/arm64/include/asm/kernel-pgtable.h"
        }
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50232.json"

git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Events: Introduced

df0cc57e057f18e44dac8e6c18aba47ab53202f9

Fixed

4fe89d07dcc2804c8b562f6c7896a45643d34b2f

Affected versions

v5.*

v5.16

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50232.json"