CVE-2022-49557

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)<br /> <br /> Set the starting uABI size of KVM&amp;#39;s guest FPU to &amp;#39;struct kvm_xsave&amp;#39;,<br /> i.e. to KVM&amp;#39;s historical uABI size. When saving FPU state for usersapce,<br /> KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if<br /> the host doesn&amp;#39;t support XSAVE. Setting the XSAVE header allows the VM<br /> to be migrated to a host that does support XSAVE without the new host<br /> having to handle FPU state that may or may not be compatible with XSAVE.<br /> <br /> Setting the uABI size to the host&amp;#39;s default size results in out-of-bounds<br /> writes (setting the FP+SSE bits) and data corruption (that is thankfully<br /> caught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.<br /> <br /> WARN if the default size is larger than KVM&amp;#39;s historical uABI size; all<br /> features that can push the FPU size beyond the historical size must be<br /> opt-in.<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130<br /> Read of size 8 at addr ffff888011e33a00 by task qemu-build/681<br /> CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1<br /> Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x45<br /> print_report.cold+0x45/0x575<br /> kasan_report+0x9b/0xd0<br /> fpu_copy_uabi_to_guest_fpstate+0x86/0x130<br /> kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]<br /> kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]<br /> __x64_sys_ioctl+0x5de/0xc90<br /> do_syscall_64+0x31/0x50<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> Allocated by task 0:<br /> (stack is not available)<br /> The buggy address belongs to the object at ffff888011e33800<br /> which belongs to the cache kmalloc-512 of size 512<br /> The buggy address is located 0 bytes to the right of<br /> 512-byte region [ffff888011e33800, ffff888011e33a00)<br /> The buggy address belongs to the physical page:<br /> page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30<br /> head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0<br /> flags: 0x4000000000010200(slab|head|zone=1)<br /> raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80<br /> raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> Memory state around the buggy address:<br /> ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ^<br /> ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ==================================================================<br /> Disabling lock debugging due to kernel taint