CVE-2022-48862
vhost: fix hung thread due to erroneous iotlb entries
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
vhost: fix hung thread due to erroneous iotlb entries
In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
start is 0 and last is ULONG_MAX. One instance where it can happen
is when userspace sends an IOTLB message with iova=size=uaddr=0
(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
iotlb_access_ok() loops indefinitely due to that erroneous entry.
Call Trace:
<TASK>
iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Reported by syzbot at:
https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87
To fix this, do two things:
1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map
a range with size 0.
2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]
by splitting it into two entries.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: vhost: corrige el hilo colgado debido a entradas erróneas de iotlb En vhost_iotlb_add_range_ctx(), el tamaño del rango puede desbordarse a 0 cuando el inicio es 0 y el último es ULONG_MAX. Un caso en el que puede suceder es cuando el espacio de usuario envía un mensaje IOTLB con iova=size=uaddr=0 (vhost_process_iotlb_msg). Entonces, una entrada con tamaño = 0, inicio = 0, último = ULONG_MAX termina en iotlb. La próxima vez que se envíe un paquete, iotlb_access_ok() se repite indefinidamente debido a esa entrada errónea. Seguimiento de llamadas: iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+ 0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Reportado por syzbot en: https ://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 Para solucionar este problema, haga dos cosas: 1. Devuelva -EINVAL en vhost_chr_write_iter() cuando el espacio de usuario solicite asignar un rango con tamaño 0. 2. Corrija vhost_iotlb_add_range_ctx() para manejar el rango [0, ULONG_MAX] dividiéndolo en dos entradas.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-07-16 CVE Reserved
- 2024-07-16 CVE Published
- 2024-07-24 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/0bbe30668d89ec8a309f28ced6d092c90fb23e8c | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.7 < 5.15.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.15.29" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.7 < 5.16.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.16.15" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.7 < 5.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.17" | en |
Affected
| ||||||