PT-2022-7474 · Linux+3 · Linux Kernel+3
Syzbot
·
Published
2022-03-06
·
Updated
2026-03-14
·
CVE-2022-48862
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The issue is related to a hung thread due to erroneous iotlb entries in the vhost component of the Linux kernel. Specifically, in
vhost iotlb add range ctx(), the range size can overflow to 0 when start is 0 and last is ULONG MAX. This can happen when userspace sends an IOTLB message with iova=size=uaddr=0. As a result, an entry with size = 0, start = 0, last = ULONG MAX ends up in the iotlb, causing iotlb access ok() to loop indefinitely when a packet is sent. To fix this, two actions are recommended: return -EINVAL in vhost chr write iter() when userspace asks to map a range with size 0, and fix vhost iotlb add range ctx() to handle the range [0, ULONG MAX] by splitting it into two entries.Recommendations
To resolve the issue, follow these steps:
- Return -EINVAL in
vhost chr write iter()when userspace asks to map a range with size 0. - Fix
vhost iotlb add range ctx()to handle the range [0, ULONG MAX] by splitting it into two entries. As a temporary workaround, consider disabling thevhost iotlb add range ctx()function until a patch is available. Restrict access to the vulnerablevhostmodule to minimize the risk of exploitation. Avoid using theiovaanduaddrparameters with a size of 0 in the affected API endpoints until the issue is resolved.
Exploit
Fix
Infinite Loop
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Linux Kernel
Red Os
Suse