CVE-2022-49520
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
26/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall<br />
<br />
If a compat process tries to execute an unknown system call above the<br />
__ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the<br />
offending process. Information about the error is printed to dmesg in<br />
compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() -><br />
arm64_show_signal().<br />
<br />
arm64_show_signal() interprets a non-zero value for<br />
current->thread.fault_code as an exception syndrome and displays the<br />
message associated with the ESR_ELx.EC field (bits 31:26).<br />
current->thread.fault_code is set in compat_arm_syscall() -><br />
arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx<br />
value. This means that the ESR_ELx.EC field has the value that the user set<br />
for the syscall number and the kernel can end up printing bogus exception<br />
messages*. For example, for the syscall number 0x68000000, which evaluates<br />
to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error:<br />
<br />
[ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000]<br />
[ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79<br />
[ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT)<br />
[..]<br />
<br />
which is misleading, as the bad compat syscall has nothing to do with<br />
pointer authentication.<br />
<br />
Stop arm64_show_signal() from printing exception syndrome information by<br />
having compat_arm_syscall() set the ESR_ELx value to 0, as it has no<br />
meaning for an invalid system call number. The example above now becomes:<br />
<br />
[ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000]<br />
[ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80<br />
[ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT)<br />
[..]<br />
<br />
which although shows less information because the syscall number,<br />
wrongfully advertised as the ESR value, is missing, it is better than<br />
showing plainly wrong information. The syscall number can be easily<br />
obtained with strace.<br />
<br />
*A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative<br />
integer in compat_arm_syscal() and the condition scno
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/095e975f8150ccd7f852eb578c1cdbdd2f517c7a
- https://git.kernel.org/stable/c/3910ae71cb963fa2b68e684489d4fc3d105afda0
- https://git.kernel.org/stable/c/3fed9e551417b84038b15117732ea4505eee386b
- https://git.kernel.org/stable/c/621916afe8cd4f322eb12759b64a2f938d4e551d
- https://git.kernel.org/stable/c/ad97425d23af3c3b8d4f6a2bb666cb485087c007
- https://git.kernel.org/stable/c/efd183d988b416fcdf6f7c298a17ced4859ca77d