CVE-2022-49760: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix PTE marker handling in hugetlb_change_protection() Patch series "mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()". Playing with virtio-mem and background snapshots (using uffd-wp) on hugetlb in QEMU, I managed to trigger a VM_BUG_ON(). Looking into the details, hugetlb_change_protection() seems to not handle uffd-wp correctly in all cases. Patch #1 fixes my test case. I don't have reproducers for patch #2, as it requires running into migration entries. I did not yet check in detail yet if !hugetlb code requires similar care. This patch (of 2): There are two problematic cases when stumbling over a PTE marker in hugetlb_change_protection(): (1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will end up in the "!huge_pte_none(pte)" case and mess up the PTE marker. (2) We unprotect a uffd-wp PTE marker: we will similarly end up in the "!huge_pte_none(pte)" case even though we cleared the PTE, because the "pte" variable is stale. We'll mess up the PTE marker. For example, if we later stumble over such a "wrongly modified" PTE marker, we'll treat it like a present PTE that maps some garbage page. This can, for example, be triggered by mapping a memfd backed by huge pages, registering uffd-wp, uffd-wp'ing an unmapped page and (a) uffd-wp'ing it a second time; or (b) uffd-unprotecting it; or (c) unregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE) on that file range, we will run into a VM_BUG_ON: [ 195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 [ 195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff) [ 195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000 [ 195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 195.039569] page dumped because: VM_BUG_ON_PAGE(compound && !PageHead(page)) [ 195.039573] ------------[ cut here ]------------ [ 195.039574] kernel BUG at mm/rmap.c:1346! [ 195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1 [ 195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022 [ 195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550 [ 195.039588] Code: [...] [ 195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292 [ 195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000 [ 195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff [ 195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08 [ 195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0 [ 195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100 [ 195.039595] FS: 00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000 [ 195.039596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0 [ 195.039598] PKRU: 55555554 [ 195.039599] Call Trace: [ 195.039600] <TASK> [ 195.039602] __unmap_hugepage_range+0x33b/0x7d0 [ 195.039605] unmap_hugepage_range+0x55/0x70 [ 195.039608] hugetlb_vmdelete_list+0x77/0xa0 [ 195.039611] hugetlbfs_fallocate+0x410/0x550 [ 195.039612] ? _raw_spin_unlock_irqrestore+0x23/0x40 [ 195.039616] vfs_fallocate+0x12e/0x360 [ 195.039618] __x64_sys_fallocate+0x40/0x70 [ 195.039620] do_syscall_64+0x58/0x80 [ 195.039623] ? syscall_exit_to_user_mode+0x17/0x40 [ 195.039624] ? do_syscall_64+0x67/0x80 [ 195.039626] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 195.039628] RIP: 0033:0x7fc7b590651f [ 195.039653] Code: [...] [ 195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d [ 195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f ---truncated---
AI Analysis
Technical Summary
CVE-2022-49760 is a vulnerability in the Linux kernel's memory management subsystem, specifically within the handling of huge pages (hugetlb) and userfaultfd write-protection (uffd-wp) in the function hugetlb_change_protection(). The issue arises when the kernel improperly manages page table entries (PTEs) that serve as markers during protection changes on huge pages. Two problematic scenarios are identified: (1) re-protecting a uffd-wp PTE marker using uffd-wp leads to corruption of the PTE marker, and (2) unprotecting a uffd-wp PTE marker results in stale PTE variables causing incorrect modification of the PTE marker. This mishandling can cause the kernel to treat corrupted PTE markers as valid present pages mapping to invalid memory, which can be triggered by operations such as mapping a memfd backed by huge pages, registering uffd-wp, and performing uffd-wp or uffd-unprotect operations multiple times. A subsequent fallocate system call with the PUNCH_HOLE flag on the affected file range can trigger a kernel BUG, leading to a kernel panic and system crash. The vulnerability is rooted in the complex interaction between huge page management, userfaultfd write-protection, and memory migration entries, with the kernel failing to correctly handle certain edge cases. The patch series referenced addresses these issues by correcting the PTE marker handling logic in hugetlb_change_protection(). No known exploits are reported in the wild, and the vulnerability requires specific conditions involving huge pages, userfaultfd write-protection, and file operations to be triggered. The vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to systems using huge pages with userfaultfd write-protection, commonly found in virtualization environments such as QEMU where virtio-mem and background snapshots are used.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux kernels with huge page support and userfaultfd write-protection enabled, especially in virtualization and cloud infrastructure contexts. The vulnerability can cause kernel panics and system crashes, leading to denial of service (DoS) conditions. This can disrupt critical services, particularly in data centers, cloud providers, and enterprises relying on virtual machines or containerized workloads that utilize huge pages for performance optimization. The impact on confidentiality and integrity is limited as the vulnerability does not directly enable privilege escalation or arbitrary code execution; however, the resulting instability and crashes can cause service outages and potential data loss if systems are not properly backed up or if critical processes are interrupted. Given the complexity and specific triggering conditions, exploitation requires privileged access or the ability to perform specific memory and file operations, reducing the likelihood of remote exploitation but increasing risk from insider threats or compromised systems. The vulnerability may also affect embedded systems or specialized appliances running affected Linux kernels, which are common in industrial and telecommunications sectors in Europe.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions with the fixes addressing hugetlb_change_protection() PTE marker handling. Specifically, kernel upgrades to versions including the referenced patch series should be deployed promptly in all environments using huge pages and userfaultfd write-protection. For virtualization platforms like QEMU, ensure that the host and guest kernels are updated to prevent triggering the vulnerability during memory snapshot or migration operations. Additionally, organizations should audit their use of huge pages and userfaultfd write-protection features, disabling or limiting these where not strictly necessary to reduce the attack surface. Monitoring kernel logs for VM_BUG_ON or kernel panic messages related to hugetlb or uffd-wp can help detect attempts to trigger this vulnerability. Implement strict access controls and privilege separation to prevent unauthorized users from performing the specific memory and file operations required to exploit this issue. Backup critical data regularly to mitigate potential data loss from unexpected system crashes. Finally, coordinate with Linux distribution vendors and virtualization software providers to ensure timely receipt of security updates and advisories.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-49760: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix PTE marker handling in hugetlb_change_protection() Patch series "mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()". Playing with virtio-mem and background snapshots (using uffd-wp) on hugetlb in QEMU, I managed to trigger a VM_BUG_ON(). Looking into the details, hugetlb_change_protection() seems to not handle uffd-wp correctly in all cases. Patch #1 fixes my test case. I don't have reproducers for patch #2, as it requires running into migration entries. I did not yet check in detail yet if !hugetlb code requires similar care. This patch (of 2): There are two problematic cases when stumbling over a PTE marker in hugetlb_change_protection(): (1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will end up in the "!huge_pte_none(pte)" case and mess up the PTE marker. (2) We unprotect a uffd-wp PTE marker: we will similarly end up in the "!huge_pte_none(pte)" case even though we cleared the PTE, because the "pte" variable is stale. We'll mess up the PTE marker. For example, if we later stumble over such a "wrongly modified" PTE marker, we'll treat it like a present PTE that maps some garbage page. This can, for example, be triggered by mapping a memfd backed by huge pages, registering uffd-wp, uffd-wp'ing an unmapped page and (a) uffd-wp'ing it a second time; or (b) uffd-unprotecting it; or (c) unregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE) on that file range, we will run into a VM_BUG_ON: [ 195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 [ 195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff) [ 195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000 [ 195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 195.039569] page dumped because: VM_BUG_ON_PAGE(compound && !PageHead(page)) [ 195.039573] ------------[ cut here ]------------ [ 195.039574] kernel BUG at mm/rmap.c:1346! [ 195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1 [ 195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022 [ 195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550 [ 195.039588] Code: [...] [ 195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292 [ 195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000 [ 195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff [ 195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08 [ 195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0 [ 195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100 [ 195.039595] FS: 00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000 [ 195.039596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0 [ 195.039598] PKRU: 55555554 [ 195.039599] Call Trace: [ 195.039600] <TASK> [ 195.039602] __unmap_hugepage_range+0x33b/0x7d0 [ 195.039605] unmap_hugepage_range+0x55/0x70 [ 195.039608] hugetlb_vmdelete_list+0x77/0xa0 [ 195.039611] hugetlbfs_fallocate+0x410/0x550 [ 195.039612] ? _raw_spin_unlock_irqrestore+0x23/0x40 [ 195.039616] vfs_fallocate+0x12e/0x360 [ 195.039618] __x64_sys_fallocate+0x40/0x70 [ 195.039620] do_syscall_64+0x58/0x80 [ 195.039623] ? syscall_exit_to_user_mode+0x17/0x40 [ 195.039624] ? do_syscall_64+0x67/0x80 [ 195.039626] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 195.039628] RIP: 0033:0x7fc7b590651f [ 195.039653] Code: [...] [ 195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d [ 195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49760 is a vulnerability in the Linux kernel's memory management subsystem, specifically within the handling of huge pages (hugetlb) and userfaultfd write-protection (uffd-wp) in the function hugetlb_change_protection(). The issue arises when the kernel improperly manages page table entries (PTEs) that serve as markers during protection changes on huge pages. Two problematic scenarios are identified: (1) re-protecting a uffd-wp PTE marker using uffd-wp leads to corruption of the PTE marker, and (2) unprotecting a uffd-wp PTE marker results in stale PTE variables causing incorrect modification of the PTE marker. This mishandling can cause the kernel to treat corrupted PTE markers as valid present pages mapping to invalid memory, which can be triggered by operations such as mapping a memfd backed by huge pages, registering uffd-wp, and performing uffd-wp or uffd-unprotect operations multiple times. A subsequent fallocate system call with the PUNCH_HOLE flag on the affected file range can trigger a kernel BUG, leading to a kernel panic and system crash. The vulnerability is rooted in the complex interaction between huge page management, userfaultfd write-protection, and memory migration entries, with the kernel failing to correctly handle certain edge cases. The patch series referenced addresses these issues by correcting the PTE marker handling logic in hugetlb_change_protection(). No known exploits are reported in the wild, and the vulnerability requires specific conditions involving huge pages, userfaultfd write-protection, and file operations to be triggered. The vulnerability affects Linux kernel versions identified by the given commit hashes and is relevant to systems using huge pages with userfaultfd write-protection, commonly found in virtualization environments such as QEMU where virtio-mem and background snapshots are used.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to environments running Linux kernels with huge page support and userfaultfd write-protection enabled, especially in virtualization and cloud infrastructure contexts. The vulnerability can cause kernel panics and system crashes, leading to denial of service (DoS) conditions. This can disrupt critical services, particularly in data centers, cloud providers, and enterprises relying on virtual machines or containerized workloads that utilize huge pages for performance optimization. The impact on confidentiality and integrity is limited as the vulnerability does not directly enable privilege escalation or arbitrary code execution; however, the resulting instability and crashes can cause service outages and potential data loss if systems are not properly backed up or if critical processes are interrupted. Given the complexity and specific triggering conditions, exploitation requires privileged access or the ability to perform specific memory and file operations, reducing the likelihood of remote exploitation but increasing risk from insider threats or compromised systems. The vulnerability may also affect embedded systems or specialized appliances running affected Linux kernels, which are common in industrial and telecommunications sectors in Europe.
Mitigation Recommendations
European organizations should prioritize patching affected Linux kernel versions with the fixes addressing hugetlb_change_protection() PTE marker handling. Specifically, kernel upgrades to versions including the referenced patch series should be deployed promptly in all environments using huge pages and userfaultfd write-protection. For virtualization platforms like QEMU, ensure that the host and guest kernels are updated to prevent triggering the vulnerability during memory snapshot or migration operations. Additionally, organizations should audit their use of huge pages and userfaultfd write-protection features, disabling or limiting these where not strictly necessary to reduce the attack surface. Monitoring kernel logs for VM_BUG_ON or kernel panic messages related to hugetlb or uffd-wp can help detect attempts to trigger this vulnerability. Implement strict access controls and privilege separation to prevent unauthorized users from performing the specific memory and file operations required to exploit this issue. Backup critical data regularly to mitigate potential data loss from unexpected system crashes. Finally, coordinate with Linux distribution vendors and virtualization software providers to ensure timely receipt of security updates and advisories.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-03-27T16:39:17.990Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4a8f
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:11:11 AM
Last updated: 8/6/2025, 5:17:46 PM
Views: 17
Related Threats
CVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.