CVE-2022-50425

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly<br /> <br /> When an extended state component is not present in fpstate, but in init<br /> state, the function copies from init_fpstate via copy_feature().<br /> <br /> But, dynamic states are not present in init_fpstate because of all-zeros<br /> init states. Then retrieving them from init_fpstate will explode like this:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> ...<br /> RIP: 0010:memcpy_erms+0x6/0x10<br /> ? __copy_xstate_to_uabi_buf+0x381/0x870<br /> fpu_copy_guest_fpstate_to_uabi+0x28/0x80<br /> kvm_arch_vcpu_ioctl+0x14c/0x1460 [kvm]<br /> ? __this_cpu_preempt_check+0x13/0x20<br /> ? vmx_vcpu_put+0x2e/0x260 [kvm_intel]<br /> kvm_vcpu_ioctl+0xea/0x6b0 [kvm]<br /> ? kvm_vcpu_ioctl+0xea/0x6b0 [kvm]<br /> ? __fget_light+0xd4/0x130<br /> __x64_sys_ioctl+0xe3/0x910<br /> ? debug_smp_processor_id+0x17/0x20<br /> ? fpregs_assert_state_consistent+0x27/0x50<br /> do_syscall_64+0x3f/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Adjust the &amp;#39;mask&amp;#39; to zero out the userspace buffer for the features that<br /> are not available both from fpstate and from init_fpstate.<br /> <br /> The dynamic features depend on the compacted XSAVE format. Ensure it is<br /> enabled before reading XCOMP_BV in init_fpstate.