CVE-2022-49052

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: fix unexpected zeroed page mapping with zram swap<br /> <br /> Two processes under CLONE_VM cloning, user process can be corrupted by<br /> seeing zeroed page unexpectedly.<br /> <br /> CPU A CPU B<br /> <br /> do_swap_page do_swap_page<br /> SWP_SYNCHRONOUS_IO path SWP_SYNCHRONOUS_IO path<br /> swap_readpage valid data<br /> swap_slot_free_notify<br /> delete zram entry<br /> swap_readpage zeroed(invalid) data<br /> pte_lock<br /> map the *zero data* to userspace<br /> pte_unlock<br /> pte_lock<br /> if (!pte_same)<br /> goto out_nomap;<br /> pte_unlock<br /> return and next refault will<br /> read zeroed data<br /> <br /> The swap_slot_free_notify is bogus for CLONE_VM case since it doesn&amp;#39;t<br /> increase the refcount of swap slot at copy_mm so it couldn&amp;#39;t catch up<br /> whether it&amp;#39;s safe or not to discard data from backing device. In the<br /> case, only the lock it could rely on to synchronize swap slot freeing is<br /> page table lock. Thus, this patch gets rid of the swap_slot_free_notify<br /> function. With this patch, CPU A will see correct data.<br /> <br /> CPU A CPU B<br /> <br /> do_swap_page do_swap_page<br /> SWP_SYNCHRONOUS_IO path SWP_SYNCHRONOUS_IO path<br /> swap_readpage original data<br /> pte_lock<br /> map the original data<br /> swap_free<br /> swap_range_free<br /> bd_disk-&gt;fops-&gt;swap_slot_free_notify<br /> swap_readpage read zeroed data<br /> pte_unlock<br /> pte_lock<br /> if (!pte_same)<br /> goto out_nomap;<br /> pte_unlock<br /> return<br /> on next refault will see mapped data by CPU B<br /> <br /> The concern of the patch would increase memory consumption since it<br /> could keep wasted memory with compressed form in zram as well as<br /> uncompressed form in address space. However, most of cases of zram uses<br /> no readahead and do_swap_page is followed by swap_free so it will free<br /> the compressed form from in zram quickly.