CVE-2022-48862

2024-07-1613:15:13

CWE-835

Linux

web.nvd.nist.gov

linux kernel

vhost

vulnerability fix

hung thread

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

vhost: fix hung thread due to erroneous iotlb entries

In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
start is 0 and last is ULONG_MAX. One instance where it can happen
is when userspace sends an IOTLB message with iova=size=uaddr=0
(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
iotlb_access_ok() loops indefinitely due to that erroneous entry.

Call Trace:
 &lt;TASK&gt;
 iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 &lt;/TASK&gt;

Reported by syzbot at:
https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87

To fix this, do two things:

Return -EINVAL in vhost_chr_write_iter() when userspace asks to map
a range with size 0.
Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]
by splitting it into two entries.

Affected configurations

Nvd

Vulners

Node

linuxlinux_kernelRange5.7–5.15.29

linuxlinux_kernelRange5.16–5.16.15

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/vhost/iotlb.c",
      "drivers/vhost/vhost.c"
    ],
    "versions": [
      {
        "version": "0bbe30668d89",
        "lessThan": "f8d88e86e90e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0bbe30668d89",
        "lessThan": "d9a747e6b656",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "0bbe30668d89",
        "lessThan": "e2ae38cf3d91",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/vhost/iotlb.c",
      "drivers/vhost/vhost.c"
    ],
    "versions": [
      {
        "version": "5.7",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.7",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.29",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16.15",
        "lessThanOrEqual": "5.16.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.17",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]