Bug 2348318 (CVE-2022-49660)

Summary: CVE-2022-49660 kernel: xen/arm: Fix race in RB-tree based P2M accounting
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerability-draftAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A vulnerability was identified in the Linux kernel’s Xen ARM implementation, where a race condition in RB-tree-based P2M (physical-to-machine) accounting could occur due to an unprotected read of the tree root in __set_phys_to_machine_multi(). An attacker could theoretically exploit this by triggering concurrent grant table operations (via gnttab_map_refs() and gnttab_unmap_refs()) that lead to incorrect or inconsistent memory mappings, potentially causing memory corruption or denial of service. However, due to the extremely rare occurrence and limited impact in real-world use
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-26 03:25:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

xen/arm: Fix race in RB-tree based P2M accounting

During the PV driver life cycle the mappings are added to
the RB-tree by set_foreign_p2m_mapping(), which is called from
gnttab_map_refs() and are removed by clear_foreign_p2m_mapping()
which is called from gnttab_unmap_refs(). As both functions end
up calling __set_phys_to_machine_multi() which updates the RB-tree,
this function can be called concurrently.

There is already a "p2m_lock" to protect against concurrent accesses,
but the problem is that the first read of "phys_to_mach.rb_node"
in __set_phys_to_machine_multi() is not covered by it, so this might
lead to the incorrect mappings update (removing in our case) in RB-tree.

In my environment the related issue happens rarely and only when
PV net backend is running, the xen_add_phys_to_mach_entry() claims
that it cannot add new pfn <-> mfn mapping to the tree since it is
already exists which results in a failure when mapping foreign pages.

But there might be other bad consequences related to the non-protected
root reads such use-after-free, etc.

While at it, also fix the similar usage in __pfn_to_mfn(), so
initialize "struct rb_node *n" with the "p2m_lock" held in both
functions to avoid possible bad consequences.

This is CVE-2022-33744 / XSA-406.
Comment 1 Avinash Hanwate 2025-02-26 11:49:11 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022622-CVE-2022-49660-cf45@gregkh/T
Comment 2 Avinash Hanwate 2025-02-26 16:23:15 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022622-CVE-2022-49660-cf45@gregkh/T
Comment 3 TEJ RATHI 2025-05-15 07:31:08 UTC 
This CVE has been rejected upstream: https://lore.kernel.org/linux-cve-announce/2025022622-REJECTED-3830@gregkh/