Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49992

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
14/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mprotect: only reference swap pfn page if type match<br /> <br /> Yu Zhao reported a bug after the commit "mm/swap: Add swp_offset_pfn() to<br /> fetch PFN from swap entry" added a check in swp_offset_pfn() for swap type [1]:<br /> <br /> kernel BUG at include/linux/swapops.h:117!<br /> CPU: 46 PID: 5245 Comm: EventManager_De Tainted: G S O L 6.0.0-dbg-DEV #2<br /> RIP: 0010:pfn_swap_entry_to_page+0x72/0xf0<br /> Code: c6 48 8b 36 48 83 fe ff 74 53 48 01 d1 48 83 c1 08 48 8b 09 f6<br /> c1 01 75 7b 66 90 48 89 c1 48 8b 09 f6 c1 01 74 74 5d c3 eb 9e 0b<br /> 48 ba ff ff ff ff 03 00 00 00 eb ae a9 ff 0f 00 00 75 13 48<br /> RSP: 0018:ffffa59e73fabb80 EFLAGS: 00010282<br /> RAX: 00000000ffffffe8 RBX: 0c00000000000000 RCX: ffffcd5440000000<br /> RDX: 1ffffffffff7a80a RSI: 0000000000000000 RDI: 0c0000000000042b<br /> RBP: ffffa59e73fabb80 R08: ffff9965ca6e8bb8 R09: 0000000000000000<br /> R10: ffffffffa5a2f62d R11: 0000030b372e9fff R12: ffff997b79db5738<br /> R13: 000000000000042b R14: 0c0000000000042b R15: 1ffffffffff7a80a<br /> FS: 00007f549d1bb700(0000) GS:ffff99d3cf680000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000440d035b3180 CR3: 0000002243176004 CR4: 00000000003706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> change_pte_range+0x36e/0x880<br /> change_p4d_range+0x2e8/0x670<br /> change_protection_range+0x14e/0x2c0<br /> mprotect_fixup+0x1ee/0x330<br /> do_mprotect_pkey+0x34c/0x440<br /> __x64_sys_mprotect+0x1d/0x30<br /> <br /> It triggers because pfn_swap_entry_to_page() could be called upon e.g. a<br /> genuine swap entry.<br /> <br /> Fix it by only calling it when it&amp;#39;s a write migration entry where the page*<br /> is used.<br /> <br /> [1] https://lore.kernel.org/lkml/CAOUHufaVC2Za-p8m0aiHw6YkheDcrO-C3wRGixwDS32VTS+k1w@mail.gmail.com/

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 5.19.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools