Bug 2069793 (CVE-2022-1158) - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region [NEEDINFO]
Summary: CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2096819 2100245 2100246 2100247 2100248 2122535 2122536 2122537 2122538 2122539 2122541 2122542 2122543 2122544 2122545 2122546 2122547 2122548 2122549 2122550 2122551 2166330 2166331
Blocks: 2069794 2069796
TreeView+ depends on / blocked
 
Reported: 2022-03-29 17:36 UTC by Marian Rehak
Modified: 2023-02-09 14:38 UTC (History)
59 users (show)

Fixed In Version: kernel 5.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.
Clone Of:
Environment:
Last Closed: 2022-12-16 10:48:35 UTC
Embargoed:
mcasquer: needinfo? (pbonzini)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:9021 0 None None None 2022-12-14 12:02:52 UTC
Red Hat Product Errata RHSA-2022:8673 0 None None None 2022-11-29 13:59:43 UTC
Red Hat Product Errata RHSA-2022:8685 0 None None None 2022-11-29 14:01:07 UTC
Red Hat Product Errata RHSA-2022:8686 0 None None None 2022-11-29 13:57:18 UTC
Red Hat Product Errata RHSA-2022:8809 0 None None None 2022-12-06 09:54:49 UTC
Red Hat Product Errata RHSA-2022:8831 0 None None None 2022-12-06 14:50:17 UTC
Red Hat Product Errata RHSA-2022:8940 0 None None None 2022-12-13 09:34:03 UTC
Red Hat Product Errata RHSA-2022:8941 0 None None None 2022-12-13 09:34:55 UTC
Red Hat Product Errata RHSA-2022:8973 0 None None None 2022-12-13 16:05:30 UTC
Red Hat Product Errata RHSA-2022:8974 0 None None None 2022-12-13 16:06:06 UTC
Red Hat Product Errata RHSA-2022:8989 0 None None None 2022-12-13 15:53:37 UTC
Red Hat Product Errata RHSA-2022:9082 0 None None None 2022-12-15 16:24:33 UTC

Description Marian Rehak 2022-03-29 17:36:26 UTC 
Since both vaddr and vm_pgoff are controllable by the user-mode process, writing may exceed the previously mapped guest memory space and trigger exceptions such as UAF.
Comment 2 Marian Rehak 2022-06-14 11:17:06 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2096819]
Comment 3 Justin M. Forbes 2022-06-16 14:15:17 UTC 
This was fixed for Fedora with the 5.16.19 stable kernel updates.
Comment 4 Mauro Matteo Cascella 2022-06-22 19:44:58 UTC 
This bug was introduced in kernel upstream version 5.2 with commit [1].
For distros and stable, Paolo Bonzini sent an inline assembly patch that
updates the gPTE using a valid userspace address [2]. With the same method,
Sean Christopherson and Peter Zijlstra introduced macros for CMPXCHG and
replaced cmpxchg_gpte() with __try_cmpxchg_user() [3].

[1] https://github.com/torvalds/linux/commit/bd53cb35a3e9adb73a834a36586e9ad80e877767
[2] https://github.com/torvalds/linux/commit/2a8859f373b0a86f0ece8ec8312607eacf12485d
[3] https://github.com/torvalds/linux/commit/f122dfe4476890d60b8c679128cd2259ec96a24c
Comment 14 Paolo Bonzini 2022-09-22 10:22:26 UTC 
I suggest using the simpler fix at upstream commit 2a8859f373b0a86f0ece8ec8312607eacf12485d for z-stream.
Comment 17 errata-xmlrpc 2022-11-29 13:57:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8686 https://access.redhat.com/errata/RHSA-2022:8686
Comment 18 errata-xmlrpc 2022-11-29 13:59:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8673 https://access.redhat.com/errata/RHSA-2022:8673
Comment 19 errata-xmlrpc 2022-11-29 14:01:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8685 https://access.redhat.com/errata/RHSA-2022:8685
Comment 20 errata-xmlrpc 2022-12-06 09:54:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2022:8809 https://access.redhat.com/errata/RHSA-2022:8809
Comment 21 errata-xmlrpc 2022-12-06 14:50:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2022:8831 https://access.redhat.com/errata/RHSA-2022:8831
Comment 23 errata-xmlrpc 2022-12-13 09:34:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:8940 https://access.redhat.com/errata/RHSA-2022:8940
Comment 24 errata-xmlrpc 2022-12-13 09:34:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:8941 https://access.redhat.com/errata/RHSA-2022:8941
Comment 25 errata-xmlrpc 2022-12-13 15:53:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2022:8989 https://access.redhat.com/errata/RHSA-2022:8989
Comment 26 errata-xmlrpc 2022-12-13 16:05:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8973 https://access.redhat.com/errata/RHSA-2022:8973
Comment 27 errata-xmlrpc 2022-12-13 16:06:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8974 https://access.redhat.com/errata/RHSA-2022:8974
Comment 28 errata-xmlrpc 2022-12-15 16:24:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:9082 https://access.redhat.com/errata/RHSA-2022:9082
Comment 29 Product Security DevOps Team 2022-12-16 10:48:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1158
Note You need to log in before you can comment on or make changes to this bug.