CVE-2022-49554

In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lock_zspage() churns away, lock_zspage() can suffer from a few different lethal races. It can lock a page which no longer belongs to the zspage and unsafely dereference page_private(), it can unsafely dereference a torn pointer to the next page (since there's a data race), and it can observe a spurious NULL pointer to the next page and thus not lock all of the zspage's pages (since a single page migration will reconstruct the entire page list, and create_page_chain() unconditionally zeroes out each list pointer in the process). Fix the races by using migrate_read_lock() in lock_zspage() to synchronize with page migration.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8	Patch
https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b	Patch
https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0	Patch
https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7	Patch
https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966	Patch
https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f	Patch
https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758	Patch
https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

22 Oct 2025, 17:33

Type	Values Removed	Values Added
First Time		Linux linux Kernel Linux
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.7
CWE		CWE-362
References	~~() https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8 -~~	() https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8 - Patch
References	~~() https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b -~~	() https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b - Patch
References	~~() https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0 -~~	() https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0 - Patch
References	~~() https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7 -~~	() https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7 - Patch
References	~~() https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966 -~~	() https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966 - Patch
References	~~() https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f -~~	() https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f - Patch
References	~~() https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758 -~~	() https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758 - Patch
References	~~() https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c -~~	() https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c - Patch
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: zsmalloc: arregla las ejecuciones entre la liberación asincrónica de zspage y la migración de página El trabajador de liberación asincrónica de zspage intenta bloquear la lista completa de páginas de una zspage sin defenderse contra la migración de página. Dado que las páginas que aún no se han bloqueado pueden migrar simultáneamente fuera de la lista de páginas de la zspage mientras lock_zspage() se procesa, lock_zspage() puede sufrir algunas ejecuciones letales diferentes. Puede bloquear una página que ya no pertenece a la zspage y desreferenciar de forma insegura page_private(), puede desreferenciar de forma insegura un puntero roto a la siguiente página (ya que hay una ejecución de datos), y puede observar un puntero NULL espurio a la siguiente página y, por lo tanto, no bloquear todas las páginas de la zspage (ya que una sola migración de página reconstruirá la lista de páginas completa, y create_page_chain() pone a cero incondicionalmente cada puntero de lista en el proceso). Corrija las ejecuciones usando migrants_read_lock() en lock_zspage() para sincronizar con la migración de página.
CPE		cpe:2.3:o:linux:linux_kernel::::::::

26 Feb 2025, 07:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-26 07:01

Updated : 2025-10-22 17:33

NVD link : CVE-2022-49554

Mitre link : CVE-2022-49554

CVE.ORG link : CVE-2022-49554

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

4.7 /10