CVE-2022-49049: Vulnerability in Linux Linux

Severity: mediumType: vulnerabilityCVE-2022-49049

In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix panic when growing a memfd_secret When one tries to grow an existing memfd_secret with ftruncate, one gets a panic [1]. For example, doing the following reliably induces the panic: fd = memfd_secret(); ftruncate(fd, 10); ptr = mmap(NULL, 10, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); strcpy(ptr, "123456789"); munmap(ptr, 10); ftruncate(fd, 20); The basic reason for this is, when we grow with ftruncate, we call down into simple_setattr, and then truncate_inode_pages_range, and eventually we try to zero part of the memory. The normal truncation code does this via the direct map (i.e., it calls page_address() and hands that to memset()). For memfd_secret though, we specifically don't map our pages via the direct map (i.e. we call set_direct_map_invalid_noflush() on every fault). So the address returned by page_address() isn't useful, and when we try to memset() with it we panic. This patch avoids the panic by implementing a custom setattr for memfd_secret, which detects resizes specifically (setting the size for the first time works just fine, since there are no existing pages to try to zero), and rejects them with EINVAL. One could argue growing should be supported, but I think that will require a significantly more lengthy change. So, I propose a minimal fix for the benefit of stable kernels, and then perhaps to extend memfd_secret to support growing in a separate patch. [1]: BUG: unable to handle page fault for address: ffffa0a889277028 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD afa01067 P4D afa01067 PUD 83f909067 PMD 83f8bf067 PTE 800ffffef6d88060 Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 0 PID: 281 Comm: repro Not tainted 5.17.0-dbg-DEV #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:memset_erms+0x9/0x10 Code: c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 <f3> aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 01 RSP: 0018:ffffb932c09afbf0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffda63c4249dc0 RCX: 0000000000000fd8 RDX: 0000000000000fd8 RSI: 0000000000000000 RDI: ffffa0a889277028 RBP: ffffb932c09afc00 R08: 0000000000001000 R09: ffffa0a889277028 R10: 0000000000020023 R11: 0000000000000000 R12: ffffda63c4249dc0 R13: ffffa0a890d70d98 R14: 0000000000000028 R15: 0000000000000fd8 FS: 00007f7294899580(0000) GS:ffffa0af9bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa0a889277028 CR3: 0000000107ef6006 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? zero_user_segments+0x82/0x190 truncate_inode_partial_folio+0xd4/0x2a0 truncate_inode_pages_range+0x380/0x830 truncate_setsize+0x63/0x80 simple_setattr+0x37/0x60 notify_change+0x3d8/0x4d0 do_sys_ftruncate+0x162/0x1d0 __x64_sys_ftruncate+0x1c/0x20 do_syscall_64+0x44/0xa0 entry_SYSCALL_64_after_hwframe+0x44/0xae Modules linked in: xhci_pci xhci_hcd virtio_net net_failover failover virtio_blk virtio_balloon uhci_hcd ohci_pci ohci_hcd evdev ehci_pci ehci_hcd 9pnet_virtio 9p netfs 9pnet CR2: ffffa0a889277028 [lkp@intel.com: secretmem_iops can be static] [axelrasmussen@google.com: return EINVAL]

AI Analysis

Technical Summary

CVE-2022-49049 is a vulnerability in the Linux kernel related to the memfd_secret subsystem, which is designed to provide secure memory regions that are not directly mapped via the kernel's direct memory map. The issue arises when an existing memfd_secret file descriptor is grown using the ftruncate system call. Normally, growing a file descriptor with ftruncate triggers kernel functions that zero out the newly allocated memory via the direct map using page_address() and memset(). However, memfd_secret pages are deliberately unmapped from the direct map (using set_direct_map_invalid_noflush()) to enhance security, making the address returned by page_address() invalid for memset operations. This mismatch causes a kernel panic due to a page fault when the kernel attempts to zero the new memory region during the resize operation. The panic manifests as a supervisor write access fault in kernel mode, leading to a system crash. The patch implemented avoids the panic by introducing a custom setattr handler for memfd_secret that rejects attempts to grow the memfd_secret file with an EINVAL error, effectively disabling resizing for now. While growing memfd_secret could be supported with more extensive changes, the fix prioritizes stability in current kernel versions. This vulnerability is triggered by a relatively simple sequence of operations involving memfd_secret creation, memory mapping, unmapping, and then resizing with ftruncate, making it reproducible. There are no known exploits in the wild, and no CVSS score has been assigned yet. The vulnerability affects Linux kernel versions containing the affected commit hashes referenced, and the patch is included in stable kernel updates.

Potential Impact

For European organizations relying on Linux-based systems, this vulnerability could lead to unexpected kernel panics and system crashes if applications or services use memfd_secret and attempt to resize these memory regions. Such crashes could cause denial of service (DoS) conditions, impacting availability of critical systems, servers, or embedded devices running vulnerable kernels. Although memfd_secret is a specialized feature, it may be used in security-sensitive applications requiring protected memory, such as cryptographic key storage or secure enclaves. The inability to safely grow memfd_secret regions could disrupt these applications or force them to avoid resizing operations, potentially complicating development or deployment. Since the vulnerability causes a kernel panic, it affects system stability and availability rather than confidentiality or integrity directly. There is no indication that this vulnerability can be exploited for privilege escalation or arbitrary code execution. However, denial of service in critical infrastructure or cloud environments could have cascading effects on business operations. European organizations with Linux servers, especially those using custom or older kernel versions without the patch, should be aware of this risk. The lack of known exploits reduces immediate threat, but the reproducibility of the panic means attackers could induce DoS if they can trigger the vulnerable code path.

Mitigation Recommendations

European organizations should ensure that all Linux systems are updated to kernel versions that include the patch for CVE-2022-49049. Specifically, kernel updates that implement the custom setattr handler rejecting memfd_secret resizing should be applied promptly. Systems running custom or long-term support kernels should backport the patch if official updates are not yet available. Developers and system administrators should audit applications to identify any use of memfd_secret and avoid calling ftruncate to grow these file descriptors. If resizing is necessary, alternative memory management strategies should be considered until full support for growing memfd_secret is implemented in future kernel releases. Monitoring system logs for kernel panics related to memfd_secret or ftruncate operations can help detect attempts to trigger this vulnerability. In environments where memfd_secret is not used, the risk is minimal, but kernel updates remain recommended for overall security hygiene. Additionally, implementing robust system monitoring and automated kernel update mechanisms can reduce exposure time to such vulnerabilities.