CVE-2022-49520

arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall

Description

In the Linux kernel, the following vulnerability has been resolved: arm64: compat: Do not treat syscall number as ESR_ELx for a bad syscall If a compat process tries to execute an unknown system call above the __ARM_NR_COMPAT_END number, the kernel sends a SIGILL signal to the offending process. Information about the error is printed to dmesg in compat_arm_syscall() -> arm64_notify_die() -> arm64_force_sig_fault() -> arm64_show_signal(). arm64_show_signal() interprets a non-zero value for current->thread.fault_code as an exception syndrome and displays the message associated with the ESR_ELx.EC field (bits 31:26). current->thread.fault_code is set in compat_arm_syscall() -> arm64_notify_die() with the bad syscall number instead of a valid ESR_ELx value. This means that the ESR_ELx.EC field has the value that the user set for the syscall number and the kernel can end up printing bogus exception messages*. For example, for the syscall number 0x68000000, which evaluates to ESR_ELx.EC value of 0x1A (ESR_ELx_EC_FPAC) the kernel prints this error: [ 18.349161] syscall[300]: unhandled exception: ERET/ERETAA/ERETAB, ESR 0x68000000, Oops - bad compat syscall(2) in syscall[10000+50000] [ 18.350639] CPU: 2 PID: 300 Comm: syscall Not tainted 5.18.0-rc1 #79 [ 18.351249] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which is misleading, as the bad compat syscall has nothing to do with pointer authentication. Stop arm64_show_signal() from printing exception syndrome information by having compat_arm_syscall() set the ESR_ELx value to 0, as it has no meaning for an invalid system call number. The example above now becomes: [ 19.935275] syscall[301]: unhandled exception: Oops - bad compat syscall(2) in syscall[10000+50000] [ 19.936124] CPU: 1 PID: 301 Comm: syscall Not tainted 5.18.0-rc1-00005-g7e08006d4102 #80 [ 19.936894] Hardware name: Pine64 RockPro64 v2.0 (DT) [..] which although shows less information because the syscall number, wrongfully advertised as the ESR value, is missing, it is better than showing plainly wrong information. The syscall number can be easily obtained with strace. *A 32-bit value above or equal to 0x8000_0000 is interpreted as a negative integer in compat_arm_syscal() and the condition scno < __ARM_NR_COMPAT_END evaluates to true; the syscall will exit to userspace in this case with the ENOSYS error code instead of arm64_notify_die() being called.

N/A

CVSS

Severity:

EPSS 0.15%

Affected: Linux Linux

References

Link	Tags
https://git.kernel.org/stable/c/efd183d988b416fcdf6f7c298a17ced4859ca77d
https://git.kernel.org/stable/c/ad97425d23af3c3b8d4f6a2bb666cb485087c007
https://git.kernel.org/stable/c/621916afe8cd4f322eb12759b64a2f938d4e551d
https://git.kernel.org/stable/c/095e975f8150ccd7f852eb578c1cdbdd2f517c7a
https://git.kernel.org/stable/c/3910ae71cb963fa2b68e684489d4fc3d105afda0
https://git.kernel.org/stable/c/3fed9e551417b84038b15117732ea4505eee386b

Frequently Asked Questions

What is the severity of CVE-2022-49520?: CVE-2022-49520 has not yet been assigned a CVSS score.
How to fix CVE-2022-49520?: To fix CVE-2022-49520, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-49520 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-49520 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-49520?: CVE-2022-49520 affects Linux Linux, Linux Linux.