{
  "threat_severity" : "Low",
  "public_date" : "2025-03-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm/hugetlb: fix PTE marker handling in hugetlb_change_protection()",
    "id" : "2355517",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2355517"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-665",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/hugetlb: fix PTE marker handling in hugetlb_change_protection()\nPatch series \"mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()\".\nPlaying with virtio-mem and background snapshots (using uffd-wp) on\nhugetlb in QEMU, I managed to trigger a VM_BUG_ON().  Looking into the\ndetails, hugetlb_change_protection() seems to not handle uffd-wp correctly\nin all cases.\nPatch #1 fixes my test case.  I don't have reproducers for patch #2, as it\nrequires running into migration entries.\nI did not yet check in detail yet if !hugetlb code requires similar care.\nThis patch (of 2):\nThere are two problematic cases when stumbling over a PTE marker in\nhugetlb_change_protection():\n(1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will\nend up in the \"!huge_pte_none(pte)\" case and mess up the PTE marker.\n(2) We unprotect a uffd-wp PTE marker: we will similarly end up in the\n\"!huge_pte_none(pte)\" case even though we cleared the PTE, because\nthe \"pte\" variable is stale. We'll mess up the PTE marker.\nFor example, if we later stumble over such a \"wrongly modified\" PTE marker,\nwe'll treat it like a present PTE that maps some garbage page.\nThis can, for example, be triggered by mapping a memfd backed by huge\npages, registering uffd-wp, uffd-wp'ing an unmapped page and (a)\nuffd-wp'ing it a second time; or (b) uffd-unprotecting it; or (c)\nunregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE)\non that file range, we will run into a VM_BUG_ON:\n[  195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0\n[  195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff)\n[  195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000\n[  195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[  195.039569] page dumped because: VM_BUG_ON_PAGE(compound && !PageHead(page))\n[  195.039573] ------------[ cut here ]------------\n[  195.039574] kernel BUG at mm/rmap.c:1346!\n[  195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[  195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1\n[  195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022\n[  195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550\n[  195.039588] Code: [...]\n[  195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292\n[  195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000\n[  195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff\n[  195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08\n[  195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0\n[  195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100\n[  195.039595] FS:  00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000\n[  195.039596] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0\n[  195.039598] PKRU: 55555554\n[  195.039599] Call Trace:\n[  195.039600]  <TASK>\n[  195.039602]  __unmap_hugepage_range+0x33b/0x7d0\n[  195.039605]  unmap_hugepage_range+0x55/0x70\n[  195.039608]  hugetlb_vmdelete_list+0x77/0xa0\n[  195.039611]  hugetlbfs_fallocate+0x410/0x550\n[  195.039612]  ? _raw_spin_unlock_irqrestore+0x23/0x40\n[  195.039616]  vfs_fallocate+0x12e/0x360\n[  195.039618]  __x64_sys_fallocate+0x40/0x70\n[  195.039620]  do_syscall_64+0x58/0x80\n[  195.039623]  ? syscall_exit_to_user_mode+0x17/0x40\n[  195.039624]  ? do_syscall_64+0x67/0x80\n[  195.039626]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[  195.039628] RIP: 0033:0x7fc7b590651f\n[  195.039653] Code: [...]\n[  195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d\n[  195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49760\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49760\nhttps://lore.kernel.org/linux-cve-announce/2025032703-CVE-2022-49760-97be@gregkh/T" ],
  "name" : "CVE-2022-49760",
  "csaw" : false
}