CVE-2022-49562
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49562
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49562.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49562
- Downstream
- Related
- Published
- 2025-02-26T02:14:06Z
- Modified
- 2025-10-21T10:30:06.622216Z
- Summary
- KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Use _trycmpxchg_user() to update guest PTE A/D bits
Use the recently introduced _trycmpxchguser() to update guest PTE A/D bits instead of mapping the PTE into kernel address space. The VMPFNMAP path is broken as it assumes that vmpgoff is the base pfn of the mapped VMA range, which is conceptually wrong as vmpgoff is the offset relative to the file and has nothing to do with the pfn. The horrific hack worked for the original use case (backing guest memory with /dev/mem), but leads to accessing "random" pfns for pretty much any other VM_PFNMAP case.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbd53cb35a3e9adb73a834a36586e9ad80e877767Fixed38b888911e8dc89b89d8147cfb1d2dbe6373bf78
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbd53cb35a3e9adb73a834a36586e9ad80e877767Fixed8089e5e1d18402fb8152d6b6815450a36fffa9b0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbd53cb35a3e9adb73a834a36586e9ad80e877767Fixedf122dfe4476890d60b8c679128cd2259ec96a24c
Affected versions
v5.*
v5.1
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8089e5e1d18402fb8152d6b6815450a36fffa9b0",
"target": {
"function": "(update_accessed_dirty_bits)",
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-0385ccf9",
"digest": {
"length": 1120.0,
"function_hash": "247247453248252075775623958318122986024"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f122dfe4476890d60b8c679128cd2259ec96a24c",
"target": {
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-0f967e77",
"digest": {
"threshold": 0.9,
"line_hashes": [
"274465095370153943289673335258313218279",
"194786237374437049260432131310913332747",
"99455358590724187251392062354007968807",
"109453035322229033719400877453733646941",
"3195826802436906428877839355765023354",
"93856631471952059280518210352910480941",
"195466510721620364200102965115794251067",
"181152221800938183339450716145504019162",
"297966151253725315135870664216724830415",
"174354697541970741339308611885600819851",
"165224697196456924922138157656069869187",
"1072023685514560087043128955830963679",
"46164346219263468139934199461863875629",
"337278973127846900440850853399566250578",
"106722283969579106696432368632622339549",
"3589803452140348270421409787968608218",
"159658161371962544077668472239828476505",
"239326373081102439745193441336669593321",
"322246785862659658777529199859566848937",
"1509484615094014164589538778616029491",
"46164346219263468139934199461863875629",
"198260935715516645505609679767339082349",
"19267908744117457094535868067174837686",
"230932529361355672245227371365253733930",
"297110669764676943749393343895213914625",
"102681544799650179717563509115189433988",
"292837713733044108149482563002192436708",
"215046001216108596638999337125599173582",
"274288546514361853214403657687145142973",
"38493560724218146292884110971908407166",
"150382345905596929824428946362733637006",
"312779708719426484758117138099526868706",
"270562474332690896769737460163435339728",
"271395358053488019017815247745182354650",
"282303150573902408518255298458270756085"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@38b888911e8dc89b89d8147cfb1d2dbe6373bf78",
"target": {
"function": "(cmpxchg_gpte)",
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-300aec47",
"digest": {
"length": 886.0,
"function_hash": "335779025145623531677796799048128195931"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@38b888911e8dc89b89d8147cfb1d2dbe6373bf78",
"target": {
"function": "(update_accessed_dirty_bits)",
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-51cd5212",
"digest": {
"length": 1120.0,
"function_hash": "247247453248252075775623958318122986024"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f122dfe4476890d60b8c679128cd2259ec96a24c",
"target": {
"function": "(cmpxchg_gpte)",
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-6c7261cb",
"digest": {
"length": 886.0,
"function_hash": "335779025145623531677796799048128195931"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8089e5e1d18402fb8152d6b6815450a36fffa9b0",
"target": {
"function": "(cmpxchg_gpte)",
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-6cd07f95",
"digest": {
"length": 886.0,
"function_hash": "335779025145623531677796799048128195931"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@38b888911e8dc89b89d8147cfb1d2dbe6373bf78",
"target": {
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-b6e288b5",
"digest": {
"threshold": 0.9,
"line_hashes": [
"274465095370153943289673335258313218279",
"194786237374437049260432131310913332747",
"99455358590724187251392062354007968807",
"109453035322229033719400877453733646941",
"3195826802436906428877839355765023354",
"93856631471952059280518210352910480941",
"195466510721620364200102965115794251067",
"181152221800938183339450716145504019162",
"297966151253725315135870664216724830415",
"174354697541970741339308611885600819851",
"165224697196456924922138157656069869187",
"1072023685514560087043128955830963679",
"46164346219263468139934199461863875629",
"337278973127846900440850853399566250578",
"106722283969579106696432368632622339549",
"3589803452140348270421409787968608218",
"159658161371962544077668472239828476505",
"239326373081102439745193441336669593321",
"322246785862659658777529199859566848937",
"1509484615094014164589538778616029491",
"46164346219263468139934199461863875629",
"198260935715516645505609679767339082349",
"19267908744117457094535868067174837686",
"230932529361355672245227371365253733930",
"297110669764676943749393343895213914625",
"102681544799650179717563509115189433988",
"292837713733044108149482563002192436708",
"215046001216108596638999337125599173582",
"274288546514361853214403657687145142973",
"38493560724218146292884110971908407166",
"150382345905596929824428946362733637006",
"312779708719426484758117138099526868706",
"270562474332690896769737460163435339728",
"271395358053488019017815247745182354650",
"282303150573902408518255298458270756085"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8089e5e1d18402fb8152d6b6815450a36fffa9b0",
"target": {
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-c9ebc546",
"digest": {
"threshold": 0.9,
"line_hashes": [
"274465095370153943289673335258313218279",
"194786237374437049260432131310913332747",
"99455358590724187251392062354007968807",
"109453035322229033719400877453733646941",
"3195826802436906428877839355765023354",
"93856631471952059280518210352910480941",
"195466510721620364200102965115794251067",
"181152221800938183339450716145504019162",
"297966151253725315135870664216724830415",
"174354697541970741339308611885600819851",
"165224697196456924922138157656069869187",
"1072023685514560087043128955830963679",
"46164346219263468139934199461863875629",
"337278973127846900440850853399566250578",
"106722283969579106696432368632622339549",
"3589803452140348270421409787968608218",
"159658161371962544077668472239828476505",
"239326373081102439745193441336669593321",
"322246785862659658777529199859566848937",
"1509484615094014164589538778616029491",
"46164346219263468139934199461863875629",
"198260935715516645505609679767339082349",
"19267908744117457094535868067174837686",
"230932529361355672245227371365253733930",
"297110669764676943749393343895213914625",
"102681544799650179717563509115189433988",
"292837713733044108149482563002192436708",
"215046001216108596638999337125599173582",
"274288546514361853214403657687145142973",
"38493560724218146292884110971908407166",
"150382345905596929824428946362733637006",
"312779708719426484758117138099526868706",
"270562474332690896769737460163435339728",
"271395358053488019017815247745182354650",
"282303150573902408518255298458270756085"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f122dfe4476890d60b8c679128cd2259ec96a24c",
"target": {
"function": "(update_accessed_dirty_bits)",
"file": "arch/x86/kvm/mmu/paging_tmpl.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49562-d799c7ac",
"digest": {
"length": 1120.0,
"function_hash": "247247453248252075775623958318122986024"
},
"signature_type": "Function"
}
]