2373416 – (CVE-2022-49989) CVE-2022-49989 kernel: xen/privcmd: fix error exit of privcmd_ioctl_dm_op()

Bug 2373416 (CVE-2022-49989) - CVE-2022-49989 kernel: xen/privcmd: fix error exit of privcmd_ioctl_dm_op()

Summary: CVE-2022-49989 kernel: xen/privcmd: fix error exit of privcmd_ioctl_dm_op()

Keywords:
Status:	NEW
Alias:	CVE-2022-49989
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-18 12:01 UTC by OSIDB Bzimport
Modified:	2025-06-20 10:58 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-18 12:01:46 UTC

In the Linux kernel, the following vulnerability has been resolved:

xen/privcmd: fix error exit of privcmd_ioctl_dm_op()

The error exit of privcmd_ioctl_dm_op() is calling unlock_pages()
potentially with pages being NULL, leading to a NULL dereference.

Additionally lock_pages() doesn't check for pin_user_pages_fast()
having been completely successful, resulting in potentially not
locking all pages into memory. This could result in sporadic failures
when using the related memory in user mode.

Fix all of that by calling unlock_pages() always with the real number
of pinned pages, which will be zero in case pages being NULL, and by
checking the number of pages pinned by pin_user_pages_fast() matching
the expected number of pages.

Comment 1 Avinash Hanwate 2025-06-20 10:49:49 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061824-CVE-2022-49989-7eed@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.