CVE-2022-50675

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored<br /> <br /> Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE<br /> is untagged"), mte_sync_tags() was only called for pte_tagged() entries<br /> (those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use<br /> test_and_set_bit(PG_mte_tagged, &amp;page-&gt;flags) without inadvertently<br /> setting PG_mte_tagged on an untagged page.<br /> <br /> The above commit was required as guests may enable MTE without any<br /> control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.<br /> However, the side-effect was that any page with a PTE that looked like<br /> swap (or migration) was getting PG_mte_tagged set automatically. A<br /> subsequent page copy (e.g. migration) copied the tags to the destination<br /> page even if the tags were owned by KASAN.<br /> <br /> This issue was masked by the page_kasan_tag_reset() call introduced in<br /> commit e5b8d9218951 ("arm64: mte: reset the page tag in page-&gt;flags").<br /> When this commit was reverted (20794545c146), KASAN started reporting<br /> access faults because the overriding tags in a page did not match the<br /> original page-&gt;flags (with CONFIG_KASAN_HW_TAGS=y):<br /> <br /> BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26<br /> Read at addr f5ff000017f2e000 by task syz-executor.1/2218<br /> Pointer tag: [f5], memory tag: [f2]<br /> <br /> Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual<br /> place where tags are cleared (mte_sync_page_tags()) or restored<br /> (mte_restore_tags()).