ghsa-vj7w-cq55-7h2m
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
arm64: extable: fix load_unaligned_zeropad() reg indices
In ex_handler_load_unaligned_zeropad() we erroneously extract the data and addr register indices from ex->type rather than ex->data. As ex->type will contain EX_TYPE_LOAD_UNALIGNED_ZEROPAD (i.e. 4): * We'll always treat X0 as the address register, since EX_DATA_REG_ADDR is extracted from bits [9:5]. Thus, we may attempt to dereference an arbitrary address as X0 may hold an arbitrary value. * We'll always treat X4 as the data register, since EX_DATA_REG_DATA is extracted from bits [4:0]. Thus we will corrupt X4 and cause arbitrary behaviour within load_unaligned_zeropad() and its caller.
Fix this by extracting both values from ex->data as originally intended.
On an MTE-enabled QEMU image we are hitting the following crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: fixup_exception+0xc4/0x108 __do_kernel_fault+0x3c/0x268 do_tag_check_fault+0x3c/0x104 do_mem_abort+0x44/0xf4 el1_abort+0x40/0x64 el1h_64_sync_handler+0x60/0xa0 el1h_64_sync+0x7c/0x80 link_path_walk+0x150/0x344 path_openat+0xa0/0x7dc do_filp_open+0xb8/0x168 do_sys_openat2+0x88/0x17c __arm64_sys_openat+0x74/0xa0 invoke_syscall+0x48/0x148 el0_svc_common+0xb8/0xf8 do_el0_svc+0x28/0x88 el0_svc+0x24/0x84 el0t_64_sync_handler+0x88/0xec el0t_64_sync+0x1b4/0x1b8 Code: f8695a69 71007d1f 540000e0 927df12a (f940014a)
{
"affected": [],
"aliases": [
"CVE-2022-48762"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-20T12:15:14Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: extable: fix load_unaligned_zeropad() reg indices\n\nIn ex_handler_load_unaligned_zeropad() we erroneously extract the data and\naddr register indices from ex-\u003etype rather than ex-\u003edata. As ex-\u003etype will\ncontain EX_TYPE_LOAD_UNALIGNED_ZEROPAD (i.e. 4):\n * We\u0027ll always treat X0 as the address register, since EX_DATA_REG_ADDR is\n extracted from bits [9:5]. Thus, we may attempt to dereference an\n arbitrary address as X0 may hold an arbitrary value.\n * We\u0027ll always treat X4 as the data register, since EX_DATA_REG_DATA is\n extracted from bits [4:0]. Thus we will corrupt X4 and cause arbitrary\n behaviour within load_unaligned_zeropad() and its caller.\n\nFix this by extracting both values from ex-\u003edata as originally intended.\n\nOn an MTE-enabled QEMU image we are hitting the following crash:\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Call trace:\n fixup_exception+0xc4/0x108\n __do_kernel_fault+0x3c/0x268\n do_tag_check_fault+0x3c/0x104\n do_mem_abort+0x44/0xf4\n el1_abort+0x40/0x64\n el1h_64_sync_handler+0x60/0xa0\n el1h_64_sync+0x7c/0x80\n link_path_walk+0x150/0x344\n path_openat+0xa0/0x7dc\n do_filp_open+0xb8/0x168\n do_sys_openat2+0x88/0x17c\n __arm64_sys_openat+0x74/0xa0\n invoke_syscall+0x48/0x148\n el0_svc_common+0xb8/0xf8\n do_el0_svc+0x28/0x88\n el0_svc+0x24/0x84\n el0t_64_sync_handler+0x88/0xec\n el0t_64_sync+0x1b4/0x1b8\n Code: f8695a69 71007d1f 540000e0 927df12a (f940014a)",
"id": "GHSA-vj7w-cq55-7h2m",
"modified": "2024-06-20T12:31:22Z",
"published": "2024-06-20T12:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48762"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3758a6c74e08bdc15ccccd6872a6ad37d165239a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47fe7a1c5e3e011eeb4ab79f2d54a794fdd1c3eb"
}
],
"schema_version": "1.4.0",
"severity": []
}