NACK: [SRU Bionic 0/1] CVE-2022-41222
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Tue Nov 22 11:57:06 UTC 2022
On Tue, Nov 22, 2022 at 09:19:10AM +0300, Cengiz Can wrote:
> [Impact]
> mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale
> TLB because an rmap lock is not held during a PUD move.
>
> [Fix]
> This is a backport of a backport.
>
> A single commit was backported as far as 5.4.y on stable. It didn't apply
> cleanly on our tree so I had to do some adjustments.
>
> [Test case]
> Compile, boot and POC tested.
>
> [Potential regression]
> High. Fix removes a flag from locking mechanism in page table mover logic.
>
> Aneesh Kumar K.V (1):
> mm/mremap: hold the rmap lock in write mode when moving page table
> entries.
>
> mm/mremap.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> --
> 2.37.2
According to our triage, this does not affect 4.15 and earlier kernels.
Cascardo.
More information about the kernel-team
mailing list