In the Linux kernel, the following vulnerability has been resolved:
vhost: fix hung thread due to erroneous iotlb entries
In vhostiotlbaddrangectx(), range size can overflow to 0 when start is 0 and last is ULONGMAX. One instance where it can happen is when userspace sends an IOTLB message with iova=size=uaddr=0 (vhostprocessiotlbmsg). So, an entry with size = 0, start = 0, last = ULONGMAX ends up in the iotlb. Next time a packet is sent, iotlbaccess_ok() loops indefinitely due to that erroneous entry.
Call Trace:
<TASK>
iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87
To fix this, do two things:
[
{
"signature_version": "v1",
"digest": {
"line_hashes": [
"4790838172301139078796544590878426841",
"173587115705734230572900664460979962082",
"73334856264267926932709392076547909081"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-48862-42de3b0d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2ae38cf3d91837a493cb2093c87700ff3cbe667",
"target": {
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Line"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "69563632643752934457840732167523825722",
"length": 743.0
},
"deprecated": false,
"id": "CVE-2022-48862-5e63ff52",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9a747e6b6561280bf1791bb24c5e9e082193dad",
"target": {
"function": "vhost_iotlb_add_range_ctx",
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "69563632643752934457840732167523825722",
"length": 743.0
},
"deprecated": false,
"id": "CVE-2022-48862-75e3c4df",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2ae38cf3d91837a493cb2093c87700ff3cbe667",
"target": {
"function": "vhost_iotlb_add_range_ctx",
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"line_hashes": [
"4790838172301139078796544590878426841",
"173587115705734230572900664460979962082",
"73334856264267926932709392076547909081"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-48862-773dd7a7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8d88e86e90ea1002226d7ac2430152bfea003d1",
"target": {
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Line"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "97307897913498508555073864650630524001",
"length": 803.0
},
"deprecated": false,
"id": "CVE-2022-48862-794c0e3b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8d88e86e90ea1002226d7ac2430152bfea003d1",
"target": {
"function": "vhost_chr_write_iter",
"file": "drivers/vhost/vhost.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"line_hashes": [
"4790838172301139078796544590878426841",
"173587115705734230572900664460979962082",
"73334856264267926932709392076547909081"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2022-48862-c6e2dcd7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9a747e6b6561280bf1791bb24c5e9e082193dad",
"target": {
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Line"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "69563632643752934457840732167523825722",
"length": 743.0
},
"deprecated": false,
"id": "CVE-2022-48862-e06d6488",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f8d88e86e90ea1002226d7ac2430152bfea003d1",
"target": {
"function": "vhost_iotlb_add_range_ctx",
"file": "drivers/vhost/iotlb.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "97307897913498508555073864650630524001",
"length": 803.0
},
"deprecated": false,
"id": "CVE-2022-48862-e5901317",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2ae38cf3d91837a493cb2093c87700ff3cbe667",
"target": {
"function": "vhost_chr_write_iter",
"file": "drivers/vhost/vhost.c"
},
"signature_type": "Function"
},
{
"signature_version": "v1",
"digest": {
"function_hash": "97307897913498508555073864650630524001",
"length": 803.0
},
"deprecated": false,
"id": "CVE-2022-48862-f6b7c9f3",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9a747e6b6561280bf1791bb24c5e9e082193dad",
"target": {
"function": "vhost_chr_write_iter",
"file": "drivers/vhost/vhost.c"
},
"signature_type": "Function"
}
]