CVE-2022-48797

16.07.2024, 12:15

In the Linux kernel, the following vulnerability has been resolved:

mm: don't try to NUMA-migrate COW pages that have other uses

Oded Gabbay reports that enabling NUMA balancing causes corruption with
his Gaudi accelerator test load:

 "All the details are in the bug, but the bottom line is that somehow,
  this patch causes corruption when the numa balancing feature is
  enabled AND we don't use process affinity AND we use GUP to pin pages
  so our accelerator can DMA to/from system memory.

  Either disabling numa balancing, using process affinity to bind to
  specific numa-node or reverting this patch causes the bug to
  disappear"

and Oded bisected the issue to commit 09854ba94c6a ("mm: do_wp_page()
simplification").

Now, the NUMA balancing shouldn't actually be changing the writability
of a page, and as such shouldn't matter for COW.  But it appears it
does.  Suspicious.

However, regardless of that, the condition for enabling NUMA faults in
change_pte_range() is nonsensical.  It uses "page_mapcount(page)" to
decide if a COW page should be NUMA-protected or not, and that makes
absolutely no sense.

The number of mappings a page has is irrelevant: not only does GUP get a
reference to a page as in Oded's case, but the other mappings migth be
paged out and the only reference to them would be in the page count.

Since we should never try to NUMA-balance a page that we can't move
anyway due to other references, just fix the code to use 'page_count()'.
Oded confirms that that fixes his issue.

Now, this does imply that something in NUMA balancing ends up changing
page protections (other than the obvious one of making the page
inaccessible to get the NUMA faulting information).  Otherwise the COW
simplification wouldn't matter - since doing the GUP on the page would
make sure it's writable.

The cause of that permission change would be good to figure out too,
since it clearly results in spurious COW events - but fixing the
nonsensical test that just happened to work before is obviously the
CorrectThing(tm) to do regardless.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Linux	CNA	---	---
CVE	ADP	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-allwinner-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-aws-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

noble	dne
jammy	dne
focal	not-affected

linux-aws-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-aws-5.8

noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

noble	dne
jammy	not-affected
focal	dne

linux-aws-fips

noble	dne
jammy	dne
focal	dne

linux-aws-hwe

noble	dne
jammy	dne
focal	dne
xenial	not-affected

linux-azure

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-azure-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.11

noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

noble	dne
jammy	dne
focal	not-affected

linux-azure-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.8

noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

noble	dne
jammy	not-affected
focal	dne

linux-azure-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

noble	dne
jammy	not-affected
focal	ignored

linux-azure-fde-5.15

noble	dne
jammy	dne
focal	not-affected

linux-azure-fde-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-fips

noble	dne
jammy	dne
focal	dne

linux-bluefield

noble	dne
jammy	dne
focal	not-affected

linux-fips

noble	dne
jammy	dne
focal	dne

linux-gcp

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected

linux-gcp-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.11

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

noble	dne
jammy	dne
focal	not-affected

linux-gcp-5.19

noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.8

noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

noble	dne
jammy	not-affected
focal	dne

linux-gcp-fips

noble	dne
jammy	dne
focal	dne

linux-gke

noble	not-affected
jammy	not-affected
focal	ignored

linux-gke-4.15

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

noble	dne
jammy	not-affected
focal	not-affected

linux-gkeop-5.15

noble	dne
jammy	dne
focal	not-affected

linux-gkeop-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	not-affected

linux-hwe-5.11

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

noble	dne
jammy	dne
focal	not-affected

linux-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-hwe-5.8

noble	dne
jammy	dne
focal	ignored

linux-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

noble	not-affected
jammy	not-affected
focal	not-affected

linux-ibm-5.15

noble	dne
jammy	dne
focal	not-affected

linux-ibm-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-intel

noble	not-affected
jammy	dne
focal	dne

linux-intel-5.13

noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg

noble	dne
jammy	not-affected
focal	dne

linux-intel-iotg-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1008.11~20.04.1 released

linux-iot

noble	dne
jammy	dne
focal	not-affected

linux-kvm

noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-lowlatency

noble	not-affected
jammy	not-affected
focal	dne

linux-lowlatency-hwe-5.15

noble	dne
jammy	dne
focal	not-affected

linux-lowlatency-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

noble	dne
jammy	dne
focal	dne
trusty	not-affected

linux-nvidia

noble	not-affected
jammy	not-affected
focal	dne

linux-nvidia-6.2

noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

noble	dne
jammy	not-affected
focal	dne

linux-nvidia-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-lowlatency

noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

noble	dne
jammy	ignored
focal	dne

linux-oem-6.5

noble	dne
jammy	not-affected
focal	dne

linux-oem-6.8

noble	not-affected
jammy	dne
focal	dne

linux-oracle

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-oracle-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

noble	dne
jammy	dne
focal	not-affected

linux-oracle-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-oracle-5.8

noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

noble	dne
jammy	not-affected
focal	dne

linux-raspi

noble	not-affected
jammy	not-affected
focal	not-affected

linux-raspi-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-raspi-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi2

noble	dne
jammy	dne
focal	ignored

linux-realtime

noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv

noble	not-affected
jammy	ignored
focal	ignored

linux-riscv-5.11

noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

noble	dne
jammy	dne
focal	not-affected

linux-riscv-5.19

noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-5.19

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

noble	dne
jammy	not-affected
focal	dne

linux-xilinx-zynqmp

noble	dne
jammy	not-affected
focal	not-affected

References

https://git.kernel.org/stable/c/254090925e16abd914c87b4ad1b489440d89c4c3

https://git.kernel.org/stable/c/80d47f5de5e311cbc0d01ebb6ee684e8f4c196c6

https://git.kernel.org/stable/c/b3dc4b9d3ca68b370c4aeab5355007eedf948849

https://git.kernel.org/stable/c/d187eeb02d18446e5e54ed6bcbf8b47e6551daea

https://git.kernel.org/stable/c/254090925e16abd914c87b4ad1b489440d89c4c3

https://git.kernel.org/stable/c/80d47f5de5e311cbc0d01ebb6ee684e8f4c196c6

https://git.kernel.org/stable/c/b3dc4b9d3ca68b370c4aeab5355007eedf948849

https://git.kernel.org/stable/c/d187eeb02d18446e5e54ed6bcbf8b47e6551daea