ghsa-crgv-wqmc-m2wr
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache
Reject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive. Not checking the active flag during refresh is particularly egregious, as KVM can end up with a valid, inactive cache, which can lead to a variety of use-after-free bugs, e.g. consuming a NULL kernel pointer or missing an mmu_notifier invalidation due to the cache not being on the list of gfns to invalidate.
Note, "active" needs to be set if and only if the cache is on the list of caches, i.e. is reachable via mmu_notifier events. If a relevant mmu_notifier event occurs while the cache is "active" but not on the list, KVM will not acquire the cache's lock and so will not serailize the mmu_notifier event with active users and/or kvm_gpc_refresh().
A race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND can be exploited to trigger the bug.
- Deactivate shinfo cache:
kvm_xen_hvm_set_attr case KVM_XEN_ATTR_TYPE_SHARED_INFO kvm_gpc_deactivate kvm_gpc_unmap gpc->valid = false gpc->khva = NULL gpc->active = false
Result: active = false, valid = false
- Cause cache refresh:
kvm_arch_vm_ioctl case KVM_XEN_HVM_EVTCHN_SEND kvm_xen_hvm_evtchn_send kvm_xen_set_evtchn kvm_xen_set_evtchn_fast kvm_gpc_check return -EWOULDBLOCK because !gpc->valid kvm_xen_set_evtchn_fast return -EWOULDBLOCK kvm_gpc_refresh hva_to_pfn_retry gpc->valid = true gpc->khva = not NULL
Result: active = false, valid = true
- Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl KVM_XEN_ATTR_TYPE_SHARED_INFO:
kvm_arch_vm_ioctl case KVM_XEN_HVM_EVTCHN_SEND kvm_xen_hvm_evtchn_send kvm_xen_set_evtchn kvm_xen_set_evtchn_fast read_lock gpc->lock kvm_xen_hvm_set_attr case KVM_XEN_ATTR_TYPE_SHARED_INFO mutex_lock kvm->lock kvm_xen_shared_info_init kvm_gpc_activate gpc->khva = NULL kvm_gpc_check [ Check passes because gpc->valid is still true, even though gpc->khva is already NULL. ] shinfo = gpc->khva pending_bits = shinfo->evtchn_pending CRASH: test_and_set_bit(..., pending_bits)
{
"affected": [],
"aliases": [
"CVE-2022-49882"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:13Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache\n\nReject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive.\nNot checking the active flag during refresh is particularly egregious, as\nKVM can end up with a valid, inactive cache, which can lead to a variety\nof use-after-free bugs, e.g. consuming a NULL kernel pointer or missing\nan mmu_notifier invalidation due to the cache not being on the list of\ngfns to invalidate.\n\nNote, \"active\" needs to be set if and only if the cache is on the list\nof caches, i.e. is reachable via mmu_notifier events. If a relevant\nmmu_notifier event occurs while the cache is \"active\" but not on the\nlist, KVM will not acquire the cache\u0027s lock and so will not serailize\nthe mmu_notifier event with active users and/or kvm_gpc_refresh().\n\nA race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND\ncan be exploited to trigger the bug.\n\n1. Deactivate shinfo cache:\n\nkvm_xen_hvm_set_attr\ncase KVM_XEN_ATTR_TYPE_SHARED_INFO\n kvm_gpc_deactivate\n kvm_gpc_unmap\n gpc-\u003evalid = false\n gpc-\u003ekhva = NULL\n gpc-\u003eactive = false\n\nResult: active = false, valid = false\n\n2. Cause cache refresh:\n\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\n kvm_xen_hvm_evtchn_send\n kvm_xen_set_evtchn\n kvm_xen_set_evtchn_fast\n kvm_gpc_check\n return -EWOULDBLOCK because !gpc-\u003evalid\n kvm_xen_set_evtchn_fast\n return -EWOULDBLOCK\n kvm_gpc_refresh\n hva_to_pfn_retry\n gpc-\u003evalid = true\n gpc-\u003ekhva = not NULL\n\nResult: active = false, valid = true\n\n3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl\nKVM_XEN_ATTR_TYPE_SHARED_INFO:\n\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\n kvm_xen_hvm_evtchn_send\n kvm_xen_set_evtchn\n kvm_xen_set_evtchn_fast\n read_lock gpc-\u003elock\n kvm_xen_hvm_set_attr case\n KVM_XEN_ATTR_TYPE_SHARED_INFO\n mutex_lock kvm-\u003elock\n kvm_xen_shared_info_init\n kvm_gpc_activate\n gpc-\u003ekhva = NULL\n kvm_gpc_check\n [ Check passes because gpc-\u003evalid is\n still true, even though gpc-\u003ekhva\n is already NULL. ]\n shinfo = gpc-\u003ekhva\n pending_bits = shinfo-\u003eevtchn_pending\n CRASH: test_and_set_bit(..., pending_bits)",
"id": "GHSA-crgv-wqmc-m2wr",
"modified": "2025-05-01T15:31:51Z",
"published": "2025-05-01T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49882"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bfa9672f8fc9eb118124bab61899d2dd497f95ba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecbcf030b45666ad11bc98565e71dfbcb7be4393"
}
],
"schema_version": "1.4.0",
"severity": []
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.