CVE-2022-49828 (GCVE-0-2022-49828)

Vulnerability from cvelistv5 – Published: 2025-05-01 14:09 – Updated: 2025-05-04 08:46
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: hugetlbfs: don't delete error page from pagecache This change is very similar to the change that was made for shmem [1], and it solves the same problem but for HugeTLBFS instead. Currently, when poison is found in a HugeTLB page, the page is removed from the page cache. That means that attempting to map or read that hugepage in the future will result in a new hugepage being allocated instead of notifying the user that the page was poisoned. As [1] states, this is effectively memory corruption. The fix is to leave the page in the page cache. If the user attempts to use a poisoned HugeTLB page with a syscall, the syscall will fail with EIO, the same error code that shmem uses. For attempts to map the page, the thread will get a BUS_MCEERR_AR SIGBUS. [1]: commit a76054266661 ("mm: shmem: don't truncate page if memory failure happens")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 30571f28bb35c826219971c63bcf60d2517112ed (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ec667443b2dbc6cdbbac4073e51a17733158ec6a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8625147cafaa9ba74713d682f5185eb62cb2aedb (git)
Create a notification for this product.
    Linux Linux Unaffected: 5.15.80 , ≤ 5.15.* (semver)
Unaffected: 6.0.10 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/hugetlbfs/inode.c",
            "mm/hugetlb.c",
            "mm/memory-failure.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "30571f28bb35c826219971c63bcf60d2517112ed",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ec667443b2dbc6cdbbac4073e51a17733158ec6a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8625147cafaa9ba74713d682f5185eb62cb2aedb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/hugetlbfs/inode.c",
            "mm/hugetlb.c",
            "mm/memory-failure.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.80",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhugetlbfs: don\u0027t delete error page from pagecache\n\nThis change is very similar to the change that was made for shmem [1], and\nit solves the same problem but for HugeTLBFS instead.\n\nCurrently, when poison is found in a HugeTLB page, the page is removed\nfrom the page cache.  That means that attempting to map or read that\nhugepage in the future will result in a new hugepage being allocated\ninstead of notifying the user that the page was poisoned.  As [1] states,\nthis is effectively memory corruption.\n\nThe fix is to leave the page in the page cache.  If the user attempts to\nuse a poisoned HugeTLB page with a syscall, the syscall will fail with\nEIO, the same error code that shmem uses.  For attempts to map the page,\nthe thread will get a BUS_MCEERR_AR SIGBUS.\n\n[1]: commit a76054266661 (\"mm: shmem: don\u0027t truncate page if memory failure happens\")"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:46:17.822Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/30571f28bb35c826219971c63bcf60d2517112ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec667443b2dbc6cdbbac4073e51a17733158ec6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8625147cafaa9ba74713d682f5185eb62cb2aedb"
        }
      ],
      "title": "hugetlbfs: don\u0027t delete error page from pagecache",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49828",
    "datePublished": "2025-05-01T14:09:47.443Z",
    "dateReserved": "2025-05-01T14:05:17.228Z",
    "dateUpdated": "2025-05-04T08:46:17.822Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49828\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:06.260\",\"lastModified\":\"2025-11-10T20:10:01.750\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhugetlbfs: don\u0027t delete error page from pagecache\\n\\nThis change is very similar to the change that was made for shmem [1], and\\nit solves the same problem but for HugeTLBFS instead.\\n\\nCurrently, when poison is found in a HugeTLB page, the page is removed\\nfrom the page cache.  That means that attempting to map or read that\\nhugepage in the future will result in a new hugepage being allocated\\ninstead of notifying the user that the page was poisoned.  As [1] states,\\nthis is effectively memory corruption.\\n\\nThe fix is to leave the page in the page cache.  If the user attempts to\\nuse a poisoned HugeTLB page with a syscall, the syscall will fail with\\nEIO, the same error code that shmem uses.  For attempts to map the page,\\nthe thread will get a BUS_MCEERR_AR SIGBUS.\\n\\n[1]: commit a76054266661 (\\\"mm: shmem: don\u0027t truncate page if memory failure happens\\\")\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hugetlbfs: no elimine la p\u00e1gina de error de la cach\u00e9 de p\u00e1ginas Este cambio es muy similar al cambio que se realiz\u00f3 para shmem [1] y resuelve el mismo problema, pero para HugeTLBFS. Actualmente, cuando se encuentra veneno en una p\u00e1gina HugeTLB, la p\u00e1gina se elimina de la cach\u00e9 de p\u00e1ginas. Eso significa que intentar mapear o leer esa p\u00e1gina enorme en el futuro dar\u00e1 como resultado que se asigne una nueva p\u00e1gina enorme en lugar de notificar al usuario que la p\u00e1gina fue envenenada. Como indica [1], esto es efectivamente corrupci\u00f3n de memoria. La soluci\u00f3n es dejar la p\u00e1gina en la cach\u00e9 de p\u00e1ginas. Si el usuario intenta usar una p\u00e1gina HugeTLB envenenada con una llamada al sistema, la llamada al sistema fallar\u00e1 con EIO, el mismo c\u00f3digo de error que usa shmem. Para los intentos de mapear la p\u00e1gina, el hilo obtendr\u00e1 un SIGBUS BUS_MCEERR_AR. [1]: commit a76054266661 (\\\"mm: shmem: no truncar la p\u00e1gina si se produce un fallo de memoria\\\")\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.15.80\",\"matchCriteriaId\":\"15DB3C25-553E-4AFA-AD20-45C84054F9CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.0.10\",\"matchCriteriaId\":\"64F9ADD1-3ADB-4D66-A00F-4A83010B05F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7E331DA-1FB0-4DEC-91AC-7DA69D461C11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"17F0B248-42CF-4AE6-A469-BB1BAE7F4705\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2422816-0C14-4B5E-A1E6-A9D776E5C49B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/30571f28bb35c826219971c63bcf60d2517112ed\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8625147cafaa9ba74713d682f5185eb62cb2aedb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ec667443b2dbc6cdbbac4073e51a17733158ec6a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.