CVE-2022-48762

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: extable: fix load_unaligned_zeropad() reg indices<br /> <br /> In ex_handler_load_unaligned_zeropad() we erroneously extract the data and<br /> addr register indices from ex-&gt;type rather than ex-&gt;data. As ex-&gt;type will<br /> contain EX_TYPE_LOAD_UNALIGNED_ZEROPAD (i.e. 4):<br /> * We&amp;#39;ll always treat X0 as the address register, since EX_DATA_REG_ADDR is<br /> extracted from bits [9:5]. Thus, we may attempt to dereference an<br /> arbitrary address as X0 may hold an arbitrary value.<br /> * We&amp;#39;ll always treat X4 as the data register, since EX_DATA_REG_DATA is<br /> extracted from bits [4:0]. Thus we will corrupt X4 and cause arbitrary<br /> behaviour within load_unaligned_zeropad() and its caller.<br /> <br /> Fix this by extracting both values from ex-&gt;data as originally intended.<br /> <br /> On an MTE-enabled QEMU image we are hitting the following crash:<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000<br /> Call trace:<br /> fixup_exception+0xc4/0x108<br /> __do_kernel_fault+0x3c/0x268<br /> do_tag_check_fault+0x3c/0x104<br /> do_mem_abort+0x44/0xf4<br /> el1_abort+0x40/0x64<br /> el1h_64_sync_handler+0x60/0xa0<br /> el1h_64_sync+0x7c/0x80<br /> link_path_walk+0x150/0x344<br /> path_openat+0xa0/0x7dc<br /> do_filp_open+0xb8/0x168<br /> do_sys_openat2+0x88/0x17c<br /> __arm64_sys_openat+0x74/0xa0<br /> invoke_syscall+0x48/0x148<br /> el0_svc_common+0xb8/0xf8<br /> do_el0_svc+0x28/0x88<br /> el0_svc+0x24/0x84<br /> el0t_64_sync_handler+0x88/0xec<br /> el0t_64_sync+0x1b4/0x1b8<br /> Code: f8695a69 71007d1f 540000e0 927df12a (f940014a)