In the Linux kernel, the following vulnerability has been resolved:
vfio/type1: Unpin zero pages There’s currently a reference count leak on
the zero page. We increment the reference via pin_user_pages_remote(), but
the page is later handled as an invalid/reserved page, therefore it’s not
accounted against the user and not unpinned by our put_pfn(). Introducing
special zero page handling in put_pfn() would resolve the leak, but without
accounting of the zero page, a single user could still create enough
mappings to generate a reference count overflow. The zero page is always
resident, so for our purposes there’s no reason to keep it pinned.
Therefore, add a loop to walk pages returned from pin_user_pages_remote()
and unpin any zero pages.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-fde | < 5.15.0-1030.37.1 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-fde-5.15 | < 5.15.0-1030.37~20.04.1.1 | UNKNOWN |
git.kernel.org/linus/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 (6.0-rc5)
git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986
git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03
git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46
git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4
launchpad.net/bugs/cve/CVE-2022-48700
nvd.nist.gov/vuln/detail/CVE-2022-48700
security-tracker.debian.org/tracker/CVE-2022-48700
www.cve.org/CVERecord?id=CVE-2022-48700