CVE-2022-49778 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
arm64/mm: fix incorrect file_map_count for non-leaf pmd/pud
The page table check trigger BUG_ON() unexpectedly when collapse hugepage:
------------[ cut here ]------------
kernel BUG at mm/page_table_check.c:82! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : page_table_check_clear.isra.0+0x258/0x3f0 lr : page_table_check_clear.isra.0+0x240/0x3f0 [...]
Call trace: page_table_check_clear.isra.0+0x258/0x3f0 __page_table_check_pmd_clear+0xbc/0x108 pmdp_collapse_flush+0xb0/0x160 collapse_huge_page+0xa08/0x1080 hpage_collapse_scan_pmd+0xf30/0x1590 khugepaged_scan_mm_slot.constprop.0+0x52c/0xac8 khugepaged+0x338/0x518 kthread+0x278/0x2f8 ret_from_fork+0x10/0x20 [...]
Since pmd_user_accessible_page() doesn't check if a pmd is leaf, it decrease file_map_count for a non-leaf pmd comes from collapse_huge_page(). and so trigger BUG_ON() unexpectedly.
Fix this problem by using pmd_leaf() insteal of pmd_present() in pmd_user_accessible_page(). Moreover, use pud_leaf() for pud_user_accessible_page() too.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability described in CVE-2022-49778 represents a critical flaw in the Linux kernel's memory management subsystem, specifically affecting the arm64 architecture. This issue manifests during huge page collapse operations when the kernel incorrectly handles file mapping counts for non-leaf page middle directory (pmd) and page upper directory (pud) entries. The flaw stems from an improper implementation of page table checking mechanisms that leads to unexpected kernel panics and system instability. When the kernel attempts to collapse huge pages, it triggers a BUG_ON() condition that results in a kernel oops and system crash, as evidenced by the stack trace showing the failure occurring in page_table_check_clear function during pmdp_collapse_flush operations.
The technical root cause lies in the incorrect use of pmd_present() instead of pmd_leaf() within the pmd_user_accessible_page() function. This error causes the kernel to process non-leaf pmd entries as if they were leaf entries, leading to improper file_map_count modifications. The problem extends to pud_user_accessible_page() which suffers from the same issue using pud_present() instead of pud_leaf(). According to CWE-119, this represents an improper access to memory locations where the kernel accesses page table entries without proper validation of their leaf status. The vulnerability demonstrates a classic case of insufficient validation in memory management operations, where the kernel fails to distinguish between page table entries that represent actual memory mappings versus those that serve as intermediate directory entries in the page table hierarchy.
The operational impact of this vulnerability is severe, particularly for systems utilizing huge page memory management and the kernel's transparent huge page (THP) subsystem. When khugepaged daemon attempts to collapse huge pages, the system becomes unstable and may crash entirely, leading to denial of service conditions. This affects systems running kernel versions where the THP subsystem is active, particularly those with memory-intensive workloads that rely on huge page optimizations. The vulnerability affects systems that perform memory management operations such as memory compaction, page migration, and transparent huge page handling, making it particularly dangerous in enterprise environments where system stability is paramount. The issue can be exploited by malicious actors to cause system crashes or potentially gain unauthorized access to system resources through kernel memory corruption.
The fix implemented addresses the core issue by replacing pmd_present() with pmd_leaf() in pmd_user_accessible_page() and similarly updating pud_user_accessible_page() to use pud_leaf() instead of pud_present(). This ensures that only actual leaf page table entries are processed for file mapping count adjustments, preventing the incorrect decrement of file_map_count for intermediate directory entries. The solution aligns with the ATT&CK framework's T1068 technique related to privilege escalation through kernel vulnerabilities, as it prevents potential exploitation paths that could lead to kernel memory corruption. Additionally, the fix follows the principle of least privilege by ensuring that memory management operations only affect entries that are actually accessible as user pages, thereby reducing the attack surface for memory corruption exploits. System administrators should update to kernel versions containing this fix and monitor for potential system instability during memory-intensive operations, particularly those involving huge page management and transparent huge page consolidation activities.