cve/published/2022/CVE-2022-48943.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48943: KVM: x86/mmu: make apf token non-zero to fix bug

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: x86/mmu: make apf token non-zero to fix bug

 In current async pagefault logic, when a page is ready, KVM relies on
 kvm_arch_can_dequeue_async_page_present() to determine whether to deliver
 a READY event to the Guest. This function test token value of struct
 kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a
 READY event is finished by Guest. If value is zero meaning that a READY
 event is done, so the KVM can deliver another.
 But the kvm_arch_setup_async_pf() may produce a valid token with zero
 value, which is confused with previous mention and may lead the loss of
 this READY event.

 This bug may cause task blocked forever in Guest:
  INFO: task stress:7532 blocked for more than 1254 seconds.
        Not tainted 5.10.0 #16
  "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
  task:stress          state:D stack:    0 pid: 7532 ppid:  1409
  flags:0x00000080
  Call Trace:
   __schedule+0x1e7/0x650
   schedule+0x46/0xb0
   kvm_async_pf_task_wait_schedule+0xad/0xe0
   ? exit_to_user_mode_prepare+0x60/0x70
   __kvm_handle_async_pf+0x4f/0xb0
   ? asm_exc_page_fault+0x8/0x30
   exc_page_fault+0x6f/0x110
   ? asm_exc_page_fault+0x8/0x30
   asm_exc_page_fault+0x1e/0x30
  RIP: 0033:0x402d00
  RSP: 002b:00007ffd31912500 EFLAGS: 00010206
  RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0
  RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0
  RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086
  R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000
  R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000

 The Linux kernel CVE team has assigned CVE-2022-48943 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.103 with commit 72fdfc75d4217b32363cc80def3de2cb3fef3f02
 	Fixed in 5.15.26 with commit 4c3644b6c96c5daa5149e5abddc07234eea47c7c
 	Fixed in 5.16.12 with commit 62040f5cd7d937de547836e747b6aa8212fec573
 	Fixed in 5.17 with commit 6f3c1fc53d86d580d8d6d749c4af23705e4f6f79

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48943
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/mmu/mmu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/72fdfc75d4217b32363cc80def3de2cb3fef3f02
 	https://git.kernel.org/stable/c/4c3644b6c96c5daa5149e5abddc07234eea47c7c
 	https://git.kernel.org/stable/c/62040f5cd7d937de547836e747b6aa8212fec573
 	https://git.kernel.org/stable/c/6f3c1fc53d86d580d8d6d749c4af23705e4f6f79
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48943: KVM: x86/mmu: make apf token non-zero to fix bug

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: x86/mmu: make apf token non-zero to fix bug

	In current async pagefault logic, when a page is ready, KVM relies on
	kvm_arch_can_dequeue_async_page_present() to determine whether to deliver
	a READY event to the Guest. This function test token value of struct
	kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a
	READY event is finished by Guest. If value is zero meaning that a READY
	event is done, so the KVM can deliver another.
	But the kvm_arch_setup_async_pf() may produce a valid token with zero
	value, which is confused with previous mention and may lead the loss of
	this READY event.

	This bug may cause task blocked forever in Guest:
	INFO: task stress:7532 blocked for more than 1254 seconds.
	Not tainted 5.10.0 #16
	"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
	task:stress state:D stack: 0 pid: 7532 ppid: 1409
	flags:0x00000080
	Call Trace:
	__schedule+0x1e7/0x650
	schedule+0x46/0xb0
	kvm_async_pf_task_wait_schedule+0xad/0xe0
	? exit_to_user_mode_prepare+0x60/0x70
	__kvm_handle_async_pf+0x4f/0xb0
	? asm_exc_page_fault+0x8/0x30
	exc_page_fault+0x6f/0x110
	? asm_exc_page_fault+0x8/0x30
	asm_exc_page_fault+0x1e/0x30
	RIP: 0033:0x402d00
	RSP: 002b:00007ffd31912500 EFLAGS: 00010206
	RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0
	RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0
	RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086
	R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000
	R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000

	The Linux kernel CVE team has assigned CVE-2022-48943 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.103 with commit 72fdfc75d4217b32363cc80def3de2cb3fef3f02
	Fixed in 5.15.26 with commit 4c3644b6c96c5daa5149e5abddc07234eea47c7c
	Fixed in 5.16.12 with commit 62040f5cd7d937de547836e747b6aa8212fec573
	Fixed in 5.17 with commit 6f3c1fc53d86d580d8d6d749c4af23705e4f6f79

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48943
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/mmu/mmu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/72fdfc75d4217b32363cc80def3de2cb3fef3f02
	https://git.kernel.org/stable/c/4c3644b6c96c5daa5149e5abddc07234eea47c7c
	https://git.kernel.org/stable/c/62040f5cd7d937de547836e747b6aa8212fec573
	https://git.kernel.org/stable/c/6f3c1fc53d86d580d8d6d749c4af23705e4f6f79