cve/published/2022/CVE-2022-49154.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49154: KVM: SVM: fix panic on out-of-bounds guest IRQ

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: SVM: fix panic on out-of-bounds guest IRQ

 As guest_irq is coming from KVM_IRQFD API call, it may trigger
 crash in svm_update_pi_irte() due to out-of-bounds:

 crash> bt
 PID: 22218  TASK: ffff951a6ad74980  CPU: 73  COMMAND: "vcpu8"
  #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397
  #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d
  #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d
  #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d
  #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9
  #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51
  #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace
     [exception RIP: svm_update_pi_irte+227]
     RIP: ffffffffc0761b53  RSP: ffffb1ba6707fd08  RFLAGS: 00010086
     RAX: ffffb1ba6707fd78  RBX: ffffb1ba66d91000  RCX: 0000000000000001
     RDX: 00003c803f63f1c0  RSI: 000000000000019a  RDI: ffffb1ba66db2ab8
     RBP: 000000000000019a   R8: 0000000000000040   R9: ffff94ca41b82200
     R10: ffffffffffffffcf  R11: 0000000000000001  R12: 0000000000000001
     R13: 0000000000000001  R14: ffffffffffffffcf  R15: 000000000000005f
     ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
  #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]
  #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]
  #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]
     RIP: 00007f143c36488b  RSP: 00007f143a4e04b8  RFLAGS: 00000246
     RAX: ffffffffffffffda  RBX: 00007f05780041d0  RCX: 00007f143c36488b
     RDX: 00007f05780041d0  RSI: 000000004008ae6a  RDI: 0000000000000020
     RBP: 00000000000004e8   R8: 0000000000000008   R9: 00007f05780041e0
     R10: 00007f0578004560  R11: 0000000000000246  R12: 00000000000004e0
     R13: 000000000000001a  R14: 00007f1424001c60  R15: 00007f0578003bc0
     ORIG_RAX: 0000000000000010  CS: 0033  SS: 002b

 Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on
 out-of-bounds guest IRQ), so we can just copy source from that to fix
 this.

 The Linux kernel CVE team has assigned CVE-2022-49154 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.110 with commit 0fb470eb48892e131d10aa3be6915239e65758f3
 	Fixed in 5.15.33 with commit 3fa2d747960521a646fc1aad7aea82e95e139a68
 	Fixed in 5.16.19 with commit e4d153d53d9648513481eb4ef8c212e7f1f8173d
 	Fixed in 5.17.2 with commit a6ffdebfb6a9c2ffeed902b544b96fe67498210e
 	Fixed in 5.18 with commit a80ced6ea514000d34bf1239d47553de0d1ee89e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49154
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/svm/avic.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0fb470eb48892e131d10aa3be6915239e65758f3
 	https://git.kernel.org/stable/c/3fa2d747960521a646fc1aad7aea82e95e139a68
 	https://git.kernel.org/stable/c/e4d153d53d9648513481eb4ef8c212e7f1f8173d
 	https://git.kernel.org/stable/c/a6ffdebfb6a9c2ffeed902b544b96fe67498210e
 	https://git.kernel.org/stable/c/a80ced6ea514000d34bf1239d47553de0d1ee89e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49154: KVM: SVM: fix panic on out-of-bounds guest IRQ

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: SVM: fix panic on out-of-bounds guest IRQ

	As guest_irq is coming from KVM_IRQFD API call, it may trigger
	crash in svm_update_pi_irte() due to out-of-bounds:

	crash> bt
	PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8"
	#0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397
	#1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d
	#2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d
	#3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d
	#4 [ffffb1ba6707fb90] no_context at ffffffff856692c9
	#5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51
	#6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace
	[exception RIP: svm_update_pi_irte+227]
	RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086
	RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001
	RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8
	RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200
	R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001
	R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f
	ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
	#7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]
	#8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]
	#9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]
	RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246
	RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b
	RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020
	RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0
	R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0
	R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0
	ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b

	Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on
	out-of-bounds guest IRQ), so we can just copy source from that to fix
	this.

	The Linux kernel CVE team has assigned CVE-2022-49154 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.110 with commit 0fb470eb48892e131d10aa3be6915239e65758f3
	Fixed in 5.15.33 with commit 3fa2d747960521a646fc1aad7aea82e95e139a68
	Fixed in 5.16.19 with commit e4d153d53d9648513481eb4ef8c212e7f1f8173d
	Fixed in 5.17.2 with commit a6ffdebfb6a9c2ffeed902b544b96fe67498210e
	Fixed in 5.18 with commit a80ced6ea514000d34bf1239d47553de0d1ee89e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49154
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/svm/avic.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0fb470eb48892e131d10aa3be6915239e65758f3
	https://git.kernel.org/stable/c/3fa2d747960521a646fc1aad7aea82e95e139a68
	https://git.kernel.org/stable/c/e4d153d53d9648513481eb4ef8c212e7f1f8173d
	https://git.kernel.org/stable/c/a6ffdebfb6a9c2ffeed902b544b96fe67498210e
	https://git.kernel.org/stable/c/a80ced6ea514000d34bf1239d47553de0d1ee89e