CVE-2022-49520

{"id": "CVE-2022-49520", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:28.017", "references": [{"url": "https://git.kernel.org/stable/c/095e975f8150ccd7f852eb578c1cdbdd2f517c7a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3910ae71cb963fa2b68e684489d4fc3d105afda0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3fed9e551417b84038b15117732ea4505eee386b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/621916afe8cd4f322eb12759b64a2f938d4e551d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad97425d23af3c3b8d4f6a2bb666cb485087c007", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/efd183d988b416fcdf6f7c298a17ced4859ca77d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall\n\nIf a compat process tries to execute an unknown system call above the\n__ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the\noffending process. Information about the error is printed to dmesg in\ncompat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() ->\narm64_show_signal().\n\narm64_show_signal() interprets a non-zero value for\ncurrent->thread.fault_code as an exception syndrome and displays the\nmessage associated with the ESR_ELx.EC field (bits 31:26).\ncurrent->thread.fault_code is set in compat_arm_syscall() ->\narm64_notify_die() with the bad syscall number instead of a valid ESR_ELx\nvalue. This means that the ESR_ELx.EC field has the value that the user set\nfor the syscall number and the kernel can end up printing bogus exception\nmessages*. For example, for the syscall number 0x68000000, which evaluates\nto ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error:\n\n[ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000]\n[ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79\n[ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT)\n[..]\n\nwhich is misleading, as the bad compat syscall has nothing to do with\npointer authentication.\n\nStop arm64_show_signal() from printing exception syndrome information by\nhaving compat_arm_syscall() set the ESR_ELx value to 0, as it has no\nmeaning for an invalid system call number. The example above now becomes:\n\n[ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000]\n[ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80\n[ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT)\n[..]\n\nwhich although shows less information because the syscall number,\nwrongfully advertised as the ESR value, is missing, it is better than\nshowing plainly wrong information. The syscall number can be easily\nobtained with strace.\n\n*A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative\ninteger in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END\nevaluates to true; the syscall will exit to userspace in this case with the\nENOSYS error code instead of arm64_notify_die() being called."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: compat: No trate el n\u00famero de llamada al sistema como ESR_ELx para una llamada al sistema incorrecta Si un proceso compat intenta ejecutar una llamada al sistema desconocida por encima del n\u00famero __ARM_NR_COMPAT_END, el kernel env\u00eda una se\u00f1al SIGILL al proceso infractor. La informaci\u00f3n sobre el error se imprime en dmesg en compat_arm_syscall() -&gt; arm64_notify_die() -&gt; arm64_force_sig_fault() -&gt; arm64_show_signal(). arm64_show_signal() interpreta un valor distinto de cero para current-&gt;thread.fault_code como un s\u00edndrome de excepci\u00f3n y muestra el mensaje asociado con el campo ESR_ELx.EC (bits 31:26). current-&gt;thread.fault_code se configura en compat_arm_syscall() -&gt; arm64_notify_die() con el n\u00famero de llamada al sistema incorrecto en lugar de un valor ESR_ELx v\u00e1lido. Esto significa que el campo ESR_ELx.EC tiene el valor que el usuario configur\u00f3 para el n\u00famero de llamada al sistema y el n\u00facleo puede terminar imprimiendo mensajes de excepci\u00f3n falsos*. Por ejemplo, para el n\u00famero de llamada al sistema 0x68000000, que eval\u00faa al valor ESR_ELx.EC 0x1A (ESR_ELx_EC_FPAC), el n\u00facleo imprime este error: [ 18.349161] syscall[300]: excepci\u00f3n no controlada: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - mala compatibilidad syscall(2) en syscall[10000+50000] [ 18.350639] CPU: 2 PID: 300 Comm: syscall No contaminado 5.18.0-rc1 #79 [ 18.351249] Nombre del hardware: Pine64 RockPro64 v2.0 (DT) [..] lo cual es enga\u00f1oso, ya que la llamada al sistema de compatibilidad incorrecta no tiene nada que ver con la autenticaci\u00f3n de puntero. Evite que arm64_show_signal() imprima informaci\u00f3n sobre el s\u00edndrome de excepci\u00f3n haciendo que compat_arm_syscall() establezca el valor ESR_ELx en 0, ya que no tiene significado para un n\u00famero de llamada de sistema no v\u00e1lido. El ejemplo anterior ahora se convierte en: [ 19.935275] syscall[301]: excepci\u00f3n no controlada: Oops - bad compat syscall(2) in syscall[10000+50000] [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80 [ 19.936894] Nombre del hardware: Pine64 RockPro64 v2.0 (DT) [..] que aunque muestra menos informaci\u00f3n porque falta el n\u00famero de syscall, anunciado err\u00f3neamente como el valor ESR, es mejor que mostrar informaci\u00f3n claramente err\u00f3nea. El n\u00famero de syscall se puede obtener f\u00e1cilmente con strace. *Un valor de 32 bits mayor o igual a 0x8000_0000 se interpreta como un entero negativo en compat_arm_syscal() y la condici\u00f3n scno &lt; __ARM_NR_COMPAT_END se eval\u00faa como verdadera; la llamada al sistema saldr\u00e1 al espacio de usuario en este caso con el c\u00f3digo de error ENOSYS en lugar de llamar a arm64_notify_die()."}], "lastModified": "2025-10-21T12:07:21.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1C86ABC-337F-46B3-BCD8-22DC5A66E45A", "versionEndExcluding": "5.4.198"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34ACD872-E5BC-401C-93D5-B357A62426E0", "versionEndExcluding": "5.10.121", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20D41697-0E8B-4B7D-8842-F17BF2AA21E1", "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}