Linux Kernel Arm64 Memory Tagging Extension Vulnerability Allowing Improper Tag Synchronization

A vulnerability in the Linux kernel's handling of memory tagging extension (MTE) for arm64 architecture can lead to incorrect synchronization of memory tags, particularly during page migrations. This issue arises because the MTE synchronization function was modified to apply to untagged pages, inadvertently causing pages that resembled swap entries to be tagged automatically. Consequently, when these pages were copied, any KASAN-owned tags were transferred to the destination page, creating a mismatch that KASAN later flagged as an access fault. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause KASAN to report invalid access errors, indicating a mismatch between the expected and actual memory tags, which could disrupt memory management and error detection processes.

Reproduction

The vulnerability can be reproduced by enabling memory tagging extension on an arm64 system and performing operations that involve migrating pages with untagged PTEs. This will trigger the erroneous automatic tagging of pages, which can then be copied to a destination page, transferring any KASAN-related tags and causing a mismatch that KASAN will report as an invalid access error.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.