CVE-2022-49884

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2025
Last modified:
02/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: Initialize gfn_to_pfn_cache locks in dedicated helper<br /> <br /> Move the gfn_to_pfn_cache lock initialization to another helper and<br /> call the new helper during VM/vCPU creation. There are race<br /> conditions possible due to kvm_gfn_to_pfn_cache_init()&amp;#39;s<br /> ability to re-initialize the cache&amp;#39;s locks.<br /> <br /> For example: a race between ioctl(KVM_XEN_HVM_EVTCHN_SEND) and<br /> kvm_gfn_to_pfn_cache_init() leads to a corrupted shinfo gpc lock.<br /> <br /> (thread 1) | (thread 2)<br /> |<br /> kvm_xen_set_evtchn_fast |<br /> read_lock_irqsave(&amp;gpc-&gt;lock, ...) |<br /> | kvm_gfn_to_pfn_cache_init<br /> | rwlock_init(&amp;gpc-&gt;lock)<br /> read_unlock_irqrestore(&amp;gpc-&gt;lock, ...) |<br /> <br /> Rename "cache_init" and "cache_destroy" to activate+deactivate to<br /> avoid implying that the cache really is destroyed/freed.<br /> <br /> Note, there more races in the newly named kvm_gpc_activate() that will<br /> be addressed separately.<br /> <br /> [sean: call out that this is a bug fix]

Impact