CVE-2022-48862
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48862
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48862.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48862
- Downstream
- Related
- Published
- 2024-07-16T12:25:25Z
- Modified
- 2025-10-21T08:03:15.255296Z
- Summary
- vhost: fix hung thread due to erroneous iotlb entries
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
vhost: fix hung thread due to erroneous iotlb entries
In vhostiotlbaddrangectx(), range size can overflow to 0 when start is 0 and last is ULONGMAX. One instance where it can happen is when userspace sends an IOTLB message with iova=size=uaddr=0 (vhostprocessiotlbmsg). So, an entry with size = 0, start = 0, last = ULONGMAX ends up in the iotlb. Next time a packet is sent, iotlbaccess_ok() loops indefinitely due to that erroneous entry.
Call Trace: <TASK> iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK>Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87
To fix this, do two things:
- Return -EINVAL in vhostchrwrite_iter() when userspace asks to map a range with size 0.
- Fix vhostiotlbaddrangectx() to handle the range [0, ULONG_MAX] by splitting it into two entries.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0bbe30668d89ec8a309f28ced6d092c90fb23e8cFixedf8d88e86e90ea1002226d7ac2430152bfea003d1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0bbe30668d89ec8a309f28ced6d092c90fb23e8cFixedd9a747e6b6561280bf1791bb24c5e9e082193dad
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0bbe30668d89ec8a309f28ced6d092c90fb23e8cFixede2ae38cf3d91837a493cb2093c87700ff3cbe667
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.6
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"digest": {
"line_hashes": [
"4790838172301139078796544590878426841",
"173587115705734230572900664460979962082",
"73334856264267926932709392076547909081"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-48862-42de3b0d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2ae38cf3d91837a493cb2093c87700ff3cbe667",
"target": {
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Line"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "69563632643752934457840732167523825722",
"length": 743.0
},
"deprecated": false,
"id": "CVE-2022-48862-5e63ff52",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9a747e6b6561280bf1791bb24c5e9e082193dad",
"target": {
"function": "vhost_iotlb_add_range_ctx",
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "69563632643752934457840732167523825722",
"length": 743.0
},
"deprecated": false,
"id": "CVE-2022-48862-75e3c4df",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2ae38cf3d91837a493cb2093c87700ff3cbe667",
"target": {
"function": "vhost_iotlb_add_range_ctx",
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"line_hashes": [
"4790838172301139078796544590878426841",
"173587115705734230572900664460979962082",
"73334856264267926932709392076547909081"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-48862-773dd7a7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8d88e86e90ea1002226d7ac2430152bfea003d1",
"target": {
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Line"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "97307897913498508555073864650630524001",
"length": 803.0
},
"deprecated": false,
"id": "CVE-2022-48862-794c0e3b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8d88e86e90ea1002226d7ac2430152bfea003d1",
"target": {
"function": "vhost_chr_write_iter",
"file": "drivers/vhost/vhost.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"line_hashes": [
"4790838172301139078796544590878426841",
"173587115705734230572900664460979962082",
"73334856264267926932709392076547909081"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-48862-c6e2dcd7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9a747e6b6561280bf1791bb24c5e9e082193dad",
"target": {
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Line"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "69563632643752934457840732167523825722",
"length": 743.0
},
"deprecated": false,
"id": "CVE-2022-48862-e06d6488",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8d88e86e90ea1002226d7ac2430152bfea003d1",
"target": {
"function": "vhost_iotlb_add_range_ctx",
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "97307897913498508555073864650630524001",
"length": 803.0
},
"deprecated": false,
"id": "CVE-2022-48862-e5901317",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2ae38cf3d91837a493cb2093c87700ff3cbe667",
"target": {
"function": "vhost_chr_write_iter",
"file": "drivers/vhost/vhost.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "97307897913498508555073864650630524001",
"length": 803.0
},
"deprecated": false,
"id": "CVE-2022-48862-f6b7c9f3",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9a747e6b6561280bf1791bb24c5e9e082193dad",
"target": {
"function": "vhost_chr_write_iter",
"file": "drivers/vhost/vhost.c"
},
"signature_type": "Function"
}
]