CVE-2022-49554

zsmalloc: fix races between asynchronous zspage free and page migration

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire page
list without defending against page migration. Since pages which haven't
yet been locked can concurrently migrate off the zspage page list while
lock_zspage() churns away, lock_zspage() can suffer from a few different
lethal races. It can lock a page which no longer belongs to the zspage and unsafely
dereference page_private(), it can unsafely dereference a torn pointer to
the next page (since there's a data race), and it can observe a spurious
NULL pointer to the next page and thus not lock all of the zspage's pages
(since a single page migration will reconstruct the entire page list, and
create_page_chain() unconditionally zeroes out each list pointer in the
process). Fix the races by using migrate_read_lock() in lock_zspage() to synchronize
with page migration.

In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lock_zspage() churns away, lock_zspage() can suffer from a few different lethal races. It can lock a page which no longer belongs to the zspage and unsafely dereference page_private(), it can unsafely dereference a torn pointer to the next page (since there's a data race), and it can observe a spurious NULL pointer to the next page and thus not lock all of the zspage's pages (since a single page migration will reconstruct the entire page list, and create_page_chain() unconditionally zeroes out each list pointer in the process). Fix the races by using migrate_read_lock() in lock_zspage() to synchronize with page migration.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-02-26 CVE Reserved
2025-02-26 CVE Published
2025-02-26 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/77ff465799c60294e248000cd22ae8171da3304c	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3674d8a8dadd03a447dd21069d4dacfc3399b63b	2022-06-06
https://git.kernel.org/stable/c/645996efc2ae391246d595832aaa6f9d3cc338c7	2022-06-06
https://git.kernel.org/stable/c/fc658c083904427abbf8f18280d517ee2668677c	2022-06-06
https://git.kernel.org/stable/c/fae05b2314b147a78fbed1dc4c645d9a66313758	2022-06-06
https://git.kernel.org/stable/c/3ec459c8810e658401be428d3168eacfc380bdd0	2022-06-06
https://git.kernel.org/stable/c/8ba7b7c1dad1f6503c541778f31b33f7f62eb966	2022-06-06
https://git.kernel.org/stable/c/c5402fb5f71f1a725f1e55d9c6799c0c7bec308f	2022-06-06
https://git.kernel.org/stable/c/2505a981114dcb715f8977b8433f7540854851d8	2022-05-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.14.282 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.14.282"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.19.246 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.19.246"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.4.197 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.4.197"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.10.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.10.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.15.45 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.15.45"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.17.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.17.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.18.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.18.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.19"		en		Affected