Bug 2069793 (CVE-2022-1158)
| Summary: | CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, bdettelb, bhu, bskeggs, chwhite, crwood, ctoe, ddepaula, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, jmaloy, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kpatch-maint, lgoncalv, linville, lzampier, masami256, mcascell, mcasquer, mchehab, nmurray, pbonzini, ptalbert, qzhao, rhandlin, rvrbovsk, scweaver, security-response-team, steved, vkumar, walters, williams, ycote |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 5.18 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-16 10:48:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2096819, 2100245, 2100246, 2100247, 2100248, 2122535, 2122536, 2122537, 2122538, 2122539, 2122541, 2122542, 2122543, 2122544, 2122545, 2122546, 2122547, 2122548, 2122549, 2122550, 2122551, 2166330, 2166331 | ||
| Bug Blocks: | 2069794, 2069796 | ||
|
Description
Marian Rehak
2022-03-29 17:36:26 UTC
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2096819] This was fixed for Fedora with the 5.16.19 stable kernel updates. This bug was introduced in kernel upstream version 5.2 with commit [1]. For distros and stable, Paolo Bonzini sent an inline assembly patch that updates the gPTE using a valid userspace address [2]. With the same method, Sean Christopherson and Peter Zijlstra introduced macros for CMPXCHG and replaced cmpxchg_gpte() with __try_cmpxchg_user() [3]. [1] https://github.com/torvalds/linux/commit/bd53cb35a3e9adb73a834a36586e9ad80e877767 [2] https://github.com/torvalds/linux/commit/2a8859f373b0a86f0ece8ec8312607eacf12485d [3] https://github.com/torvalds/linux/commit/f122dfe4476890d60b8c679128cd2259ec96a24c I suggest using the simpler fix at upstream commit 2a8859f373b0a86f0ece8ec8312607eacf12485d for z-stream. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8686 https://access.redhat.com/errata/RHSA-2022:8686 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8673 https://access.redhat.com/errata/RHSA-2022:8673 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8685 https://access.redhat.com/errata/RHSA-2022:8685 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:8809 https://access.redhat.com/errata/RHSA-2022:8809 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:8831 https://access.redhat.com/errata/RHSA-2022:8831 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:8940 https://access.redhat.com/errata/RHSA-2022:8940 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:8941 https://access.redhat.com/errata/RHSA-2022:8941 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2022:8989 https://access.redhat.com/errata/RHSA-2022:8989 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8973 https://access.redhat.com/errata/RHSA-2022:8973 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8974 https://access.redhat.com/errata/RHSA-2022:8974 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:9082 https://access.redhat.com/errata/RHSA-2022:9082 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1158 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |