CVE-2022-49884
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2025
Last modified:
02/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: Initialize gfn_to_pfn_cache locks in dedicated helper<br />
<br />
Move the gfn_to_pfn_cache lock initialization to another helper and<br />
call the new helper during VM/vCPU creation. There are race<br />
conditions possible due to kvm_gfn_to_pfn_cache_init()&#39;s<br />
ability to re-initialize the cache&#39;s locks.<br />
<br />
For example: a race between ioctl(KVM_XEN_HVM_EVTCHN_SEND) and<br />
kvm_gfn_to_pfn_cache_init() leads to a corrupted shinfo gpc lock.<br />
<br />
(thread 1) | (thread 2)<br />
|<br />
kvm_xen_set_evtchn_fast |<br />
read_lock_irqsave(&gpc->lock, ...) |<br />
| kvm_gfn_to_pfn_cache_init<br />
| rwlock_init(&gpc->lock)<br />
read_unlock_irqrestore(&gpc->lock, ...) |<br />
<br />
Rename "cache_init" and "cache_destroy" to activate+deactivate to<br />
avoid implying that the cache really is destroyed/freed.<br />
<br />
Note, there more races in the newly named kvm_gpc_activate() that will<br />
be addressed separately.<br />
<br />
[sean: call out that this is a bug fix]