cve-2022-49882
Vulnerability from cvelistv5
Published
2025-05-01 14:10
Modified
2025-05-01 14:10
Severity ?
EPSS score ?
Summary
KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/pfncache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bfa9672f8fc9eb118124bab61899d2dd497f95ba",
"status": "affected",
"version": "982ed0de4753ed6e71dbd40f82a5a066baf133ed",
"versionType": "git"
},
{
"lessThan": "ecbcf030b45666ad11bc98565e71dfbcb7be4393",
"status": "affected",
"version": "982ed0de4753ed6e71dbd40f82a5a066baf133ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/pfncache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache\n\nReject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive.\nNot checking the active flag during refresh is particularly egregious, as\nKVM can end up with a valid, inactive cache, which can lead to a variety\nof use-after-free bugs, e.g. consuming a NULL kernel pointer or missing\nan mmu_notifier invalidation due to the cache not being on the list of\ngfns to invalidate.\n\nNote, \"active\" needs to be set if and only if the cache is on the list\nof caches, i.e. is reachable via mmu_notifier events. If a relevant\nmmu_notifier event occurs while the cache is \"active\" but not on the\nlist, KVM will not acquire the cache\u0027s lock and so will not serailize\nthe mmu_notifier event with active users and/or kvm_gpc_refresh().\n\nA race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND\ncan be exploited to trigger the bug.\n\n1. Deactivate shinfo cache:\n\nkvm_xen_hvm_set_attr\ncase KVM_XEN_ATTR_TYPE_SHARED_INFO\n kvm_gpc_deactivate\n kvm_gpc_unmap\n gpc-\u003evalid = false\n gpc-\u003ekhva = NULL\n gpc-\u003eactive = false\n\nResult: active = false, valid = false\n\n2. Cause cache refresh:\n\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\n kvm_xen_hvm_evtchn_send\n kvm_xen_set_evtchn\n kvm_xen_set_evtchn_fast\n kvm_gpc_check\n return -EWOULDBLOCK because !gpc-\u003evalid\n kvm_xen_set_evtchn_fast\n return -EWOULDBLOCK\n kvm_gpc_refresh\n hva_to_pfn_retry\n gpc-\u003evalid = true\n gpc-\u003ekhva = not NULL\n\nResult: active = false, valid = true\n\n3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl\nKVM_XEN_ATTR_TYPE_SHARED_INFO:\n\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\n kvm_xen_hvm_evtchn_send\n kvm_xen_set_evtchn\n kvm_xen_set_evtchn_fast\n read_lock gpc-\u003elock\n kvm_xen_hvm_set_attr case\n KVM_XEN_ATTR_TYPE_SHARED_INFO\n mutex_lock kvm-\u003elock\n kvm_xen_shared_info_init\n kvm_gpc_activate\n gpc-\u003ekhva = NULL\n kvm_gpc_check\n [ Check passes because gpc-\u003evalid is\n still true, even though gpc-\u003ekhva\n is already NULL. ]\n shinfo = gpc-\u003ekhva\n pending_bits = shinfo-\u003eevtchn_pending\n CRASH: test_and_set_bit(..., pending_bits)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T14:10:29.213Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bfa9672f8fc9eb118124bab61899d2dd497f95ba"
},
{
"url": "https://git.kernel.org/stable/c/ecbcf030b45666ad11bc98565e71dfbcb7be4393"
}
],
"title": "KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache",
"x_generator": {
"engine": "bippy-1.1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49882",
"datePublished": "2025-05-01T14:10:29.213Z",
"dateReserved": "2025-05-01T14:05:17.241Z",
"dateUpdated": "2025-05-01T14:10:29.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-49882\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:13.183\",\"lastModified\":\"2025-05-01T15:16:13.183\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache\\n\\nReject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive.\\nNot checking the active flag during refresh is particularly egregious, as\\nKVM can end up with a valid, inactive cache, which can lead to a variety\\nof use-after-free bugs, e.g. consuming a NULL kernel pointer or missing\\nan mmu_notifier invalidation due to the cache not being on the list of\\ngfns to invalidate.\\n\\nNote, \\\"active\\\" needs to be set if and only if the cache is on the list\\nof caches, i.e. is reachable via mmu_notifier events. If a relevant\\nmmu_notifier event occurs while the cache is \\\"active\\\" but not on the\\nlist, KVM will not acquire the cache\u0027s lock and so will not serailize\\nthe mmu_notifier event with active users and/or kvm_gpc_refresh().\\n\\nA race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND\\ncan be exploited to trigger the bug.\\n\\n1. Deactivate shinfo cache:\\n\\nkvm_xen_hvm_set_attr\\ncase KVM_XEN_ATTR_TYPE_SHARED_INFO\\n kvm_gpc_deactivate\\n kvm_gpc_unmap\\n gpc-\u003evalid = false\\n gpc-\u003ekhva = NULL\\n gpc-\u003eactive = false\\n\\nResult: active = false, valid = false\\n\\n2. Cause cache refresh:\\n\\nkvm_arch_vm_ioctl\\ncase KVM_XEN_HVM_EVTCHN_SEND\\n kvm_xen_hvm_evtchn_send\\n kvm_xen_set_evtchn\\n kvm_xen_set_evtchn_fast\\n kvm_gpc_check\\n return -EWOULDBLOCK because !gpc-\u003evalid\\n kvm_xen_set_evtchn_fast\\n return -EWOULDBLOCK\\n kvm_gpc_refresh\\n hva_to_pfn_retry\\n gpc-\u003evalid = true\\n gpc-\u003ekhva = not NULL\\n\\nResult: active = false, valid = true\\n\\n3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl\\nKVM_XEN_ATTR_TYPE_SHARED_INFO:\\n\\nkvm_arch_vm_ioctl\\ncase KVM_XEN_HVM_EVTCHN_SEND\\n kvm_xen_hvm_evtchn_send\\n kvm_xen_set_evtchn\\n kvm_xen_set_evtchn_fast\\n read_lock gpc-\u003elock\\n kvm_xen_hvm_set_attr case\\n KVM_XEN_ATTR_TYPE_SHARED_INFO\\n mutex_lock kvm-\u003elock\\n kvm_xen_shared_info_init\\n kvm_gpc_activate\\n gpc-\u003ekhva = NULL\\n kvm_gpc_check\\n [ Check passes because gpc-\u003evalid is\\n still true, even though gpc-\u003ekhva\\n is already NULL. ]\\n shinfo = gpc-\u003ekhva\\n pending_bits = shinfo-\u003eevtchn_pending\\n CRASH: test_and_set_bit(..., pending_bits)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/bfa9672f8fc9eb118124bab61899d2dd497f95ba\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ecbcf030b45666ad11bc98565e71dfbcb7be4393\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.