Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com

CVE-2022-48862

Description

In the Linux kernel, the following vulnerability has been resolved:vhost: fix hung thread due to erroneous iotlb entriesIn vhost_iotlb_add_range_ctx(), range size can overflow to 0 whenstart is 0 and last is ULONG_MAX. One instance where it can happenis when userspace sends an IOTLB message with iova=size=uaddr=0(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,iotlb_access_ok() loops indefinitely due to that erroneous entry. Call Trace: iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87To fix this, do two things:1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map a range with size 0.2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] by splitting it into two entries.

POC

Reference

No PoCs from references.

Github

- https://github.com/fkie-cad/nvd-json-data-feeds