CVE-2022-49154

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: SVM: fix panic on out-of-bounds guest IRQ<br /> <br /> As guest_irq is coming from KVM_IRQFD API call, it may trigger<br /> crash in svm_update_pi_irte() due to out-of-bounds:<br /> <br /> crash&gt; bt<br /> PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8"<br /> #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397<br /> #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d<br /> #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d<br /> #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d<br /> #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9<br /> #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51<br /> #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace<br /> [exception RIP: svm_update_pi_irte+227]<br /> RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086<br /> RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001<br /> RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8<br /> RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200<br /> R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001<br /> R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f<br /> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br /> #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]<br /> #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]<br /> #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]<br /> RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246<br /> RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b<br /> RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020<br /> RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0<br /> R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0<br /> R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0<br /> ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b<br /> <br /> Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on<br /> out-of-bounds guest IRQ), so we can just copy source from that to fix<br /> this.