cve/published/2022/CVE-2022-48890.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48890: scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM

 storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),
 which in a confidential VM allocates swiotlb bounce buffers. If the I/O
 submission fails in storvsc_do_io(), the I/O is typically retried by higher
 level code, but the bounce buffer memory is never freed.  The mostly like
 cause of I/O submission failure is a full VMBus channel ring buffer, which
 is not uncommon under high I/O loads.  Eventually enough bounce buffer
 memory leaks that the confidential VM can't do any I/O. The same problem
 can arise in a non-confidential VM with kernel boot parameter
 swiotlb=force.

 Fix this by doing scsi_dma_unmap() in the case of an I/O submission
 error, which frees the bounce buffer memory.

 The Linux kernel CVE team has assigned CVE-2022-48890 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit 743b237c3a7b0f5b44aa704aae8a1058877b6322 and fixed in 6.1.7 with commit 87c71e88f6a6619ffb1ff88f84dff48ef6d57adb
 	Issue introduced in 5.17 with commit 743b237c3a7b0f5b44aa704aae8a1058877b6322 and fixed in 6.2 with commit 67ff3d0a49f3d445c3922e30a54e03c161da561e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48890
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/storvsc_drv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/87c71e88f6a6619ffb1ff88f84dff48ef6d57adb
 	https://git.kernel.org/stable/c/67ff3d0a49f3d445c3922e30a54e03c161da561e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48890: scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: storvsc: Fix swiotlb bounce buffer leak in confidential VM

	storvsc_queuecommand() maps the scatter/gather list using scsi_dma_map(),
	which in a confidential VM allocates swiotlb bounce buffers. If the I/O
	submission fails in storvsc_do_io(), the I/O is typically retried by higher
	level code, but the bounce buffer memory is never freed. The mostly like
	cause of I/O submission failure is a full VMBus channel ring buffer, which
	is not uncommon under high I/O loads. Eventually enough bounce buffer
	memory leaks that the confidential VM can't do any I/O. The same problem
	can arise in a non-confidential VM with kernel boot parameter
	swiotlb=force.

	Fix this by doing scsi_dma_unmap() in the case of an I/O submission
	error, which frees the bounce buffer memory.

	The Linux kernel CVE team has assigned CVE-2022-48890 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit 743b237c3a7b0f5b44aa704aae8a1058877b6322 and fixed in 6.1.7 with commit 87c71e88f6a6619ffb1ff88f84dff48ef6d57adb
	Issue introduced in 5.17 with commit 743b237c3a7b0f5b44aa704aae8a1058877b6322 and fixed in 6.2 with commit 67ff3d0a49f3d445c3922e30a54e03c161da561e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48890
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/storvsc_drv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/87c71e88f6a6619ffb1ff88f84dff48ef6d57adb
	https://git.kernel.org/stable/c/67ff3d0a49f3d445c3922e30a54e03c161da561e