CVE-2022-49964 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level
Though acpi_find_last_cache_level() always returned signed value and the document states it will return any errors caused by lack of a PPTT table, it never returned negative values before.
Commit 0c80f9e165f8 ("ACPI: PPTT: Leave the table mapped for the runtime usage") however changed it by returning -ENOENT if no PPTT was found. The value returned from acpi_find_last_cache_level() is then assigned to unsigned fw_level.
It will result in the number of cache leaves calculated incorrectly as a huge value which will then cause the following warning from __alloc_pages as the order would be great than MAX_ORDER because of incorrect and huge cache leaves value.
| WARNING: CPU: 0 PID: 1 at mm/page_alloc.c:5407 __alloc_pages+0x74/0x314 | Modules linked in: | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-10393-g7c2a8d3ac4c0 #73 | pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : __alloc_pages+0x74/0x314 | lr : alloc_pages+0xe8/0x318 | Call trace: | __alloc_pages+0x74/0x314 | alloc_pages+0xe8/0x318 | kmalloc_order_trace+0x68/0x1dc | __kmalloc+0x240/0x338 | detect_cache_attributes+0xe0/0x56c | update_siblings_masks+0x38/0x284 | store_cpu_topology+0x78/0x84 | smp_prepare_cpus+0x48/0x134 | kernel_init_freeable+0xc4/0x14c | kernel_init+0x2c/0x1b4 | ret_from_fork+0x10/0x20
Fix the same by changing fw_level to be signed integer and return the error from init_cache_level() early in case of error.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability described in CVE-2022-49964 represents a critical type confusion issue within the Linux kernel's ARM64 architecture implementation, specifically affecting the cache information handling subsystem. This flaw arises from an improper assignment of signed error values to unsigned variables, creating a scenario where negative error codes are interpreted as massive positive values. The vulnerability impacts systems running Linux kernel versions where the acpi_find_last_cache_level() function was modified to return -ENOENT when PPTT (Processor Properties Topology Table) tables are absent. This change introduced a mismatch between the signed return value and the unsigned fw_level variable that receives it, fundamentally altering how cache hierarchy information is processed during system initialization.
The technical root cause stems from a modification in commit 0c80f9e165f8 which altered the behavior of acpi_find_last_cache_level() to return error codes instead of just positive values. When no PPTT table is found, this function now returns -ENOENT, a negative error code indicating the absence of required ACPI data. However, the fw_level variable in the cache information processing code is declared as unsigned, causing the negative error value to be interpreted as an extremely large positive number. This misinterpretation leads to incorrect cache leaf calculations that dramatically exceed system limits, ultimately triggering kernel warnings and potential system instability during memory allocation operations.
The operational impact of this vulnerability manifests primarily during system boot and initialization phases when the kernel attempts to detect and configure CPU cache hierarchies. The incorrect cache leaf calculation causes the __alloc_pages function to receive an impossibly large order parameter that exceeds MAX_ORDER, resulting in kernel panic warnings and system instability. The call trace demonstrates this progression from cache detection through memory allocation to kernel initialization failure, indicating that the vulnerability affects core system functionality rather than just peripheral components. This issue particularly impacts ARM64 systems that rely on ACPI PPTT tables for topology information, potentially causing complete system boot failures or unpredictable behavior during runtime operations.
The fix implemented addresses this vulnerability by changing the fw_level variable type from unsigned to signed integer, ensuring proper handling of error codes returned by acpi_find_last_cache_level(). Additionally, the solution includes early error return from init_cache_level() function when errors are detected, preventing the propagation of invalid cache information throughout the system. This approach aligns with security best practices for error handling and type safety, preventing type confusion attacks that could otherwise exploit the signed-unsigned mismatch. The mitigation strategy follows established principles for preventing integer overflow conditions and maintaining data integrity in kernel space operations, as referenced in CWE-194, which deals with unintended use of signedness in arithmetic operations. This vulnerability also relates to ATT&CK technique T1068, which covers 'Exploitation for Privilege Escalation' through kernel vulnerabilities, as the improper handling of cache information could potentially be leveraged to gain elevated privileges or cause system compromise during kernel initialization.