Bug 2373509 (CVE-2022-50058) - CVE-2022-50058 kernel: vdpa_sim_blk: set number of address spaces and virtqueue groups
Summary: CVE-2022-50058 kernel: vdpa_sim_blk: set number of address spaces and virtque...
Keywords:
Status: NEW
Alias: CVE-2022-50058
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-18 12:06 UTC by OSIDB Bzimport
Modified: 2025-06-19 20:32 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-18 12:06:11 UTC 
In the Linux kernel, the following vulnerability has been resolved:

vdpa_sim_blk: set number of address spaces and virtqueue groups

Commit bda324fd037a ("vdpasim: control virtqueue support") added two
new fields (nas, ngroups) to vdpasim_dev_attr, but we forgot to
initialize them for vdpa_sim_blk.

When creating a new vdpa_sim_blk device this causes the kernel
to panic in this way:
    $ vdpa dev add mgmtdev vdpasim_blk name blk0
    BUG: kernel NULL pointer dereference, address: 0000000000000030
    ...
    RIP: 0010:vhost_iotlb_add_range_ctx+0x41/0x220 [vhost_iotlb]
    ...
    Call Trace:
     <TASK>
     vhost_iotlb_add_range+0x11/0x800 [vhost_iotlb]
     vdpasim_map_range+0x91/0xd0 [vdpa_sim]
     vdpasim_alloc_coherent+0x56/0x90 [vdpa_sim]
     ...

This happens because vdpasim->iommu[0] is not initialized when
dev_attr.nas is 0.

Let's fix this issue by initializing both (nas, ngroups) to 1 for
vdpa_sim_blk.
Comment 1 Avinash Hanwate 2025-06-19 20:24:22 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061848-CVE-2022-50058-212f@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.