CVE-2022-50630

The vmalock and hugetlbfaultmutex are dropped before handling userfault and reacquire them again after handleuserfault(), but reacquire the vma_lock could lead to UAF[1,2] due to the following race,

hugetlbfault hugetlbnopage /*unlock vmalock */ hugetlbhandleuserfault handleuserfault /* unlock mm->mmaplock*/ vmmmappgoff dommap mmapregion munmapvmarange /* clean old vma / / lock vmalock again <--- UAF / / unlock vmalock */

Since the vmalock will unlock immediately after hugetlbhandleuserfault(), let's drop the unneeded lock and unlock in hugetlbhandle_userfault() to fix the issue.

[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ [2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50630.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45

Fixed

45c33966759ea1b4040c08dacda99ef623c0ca29

Fixed

0db2efb3bff879566f05341d94c3de00ac95c4cc

Fixed

dd691973f67b2800a97db723b1ff6f07fdcf7f5a

Fixed

78504bcedb2f1bbfb353b4d233c24d641c4dda33

Fixed

958f32ce832ba781ac20e11bb2d12a9352ea28fc

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50630.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.11.0

Fixed

5.10.150

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.75

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.19.17

Type: ECOSYSTEM
Events: Introduced

5.20.0

Fixed

6.0.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50630.json"