CVE-2022-49568 (GCVE-0-2022-49568)
Vulnerability from cvelistv5
Published
2025-02-26 02:23
Modified
2025-06-19 12:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: Don't null dereference ops->destroy
A KVM device cleanup happens in either of two callbacks:
1) destroy() which is called when the VM is being destroyed;
2) release() which is called when a device fd is closed.
Most KVM devices use 1) but Book3s's interrupt controller KVM devices
(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during
the machine execution. The error handling in kvm_ioctl_create_device()
assumes destroy() is always defined which leads to NULL dereference as
discovered by Syzkaller.
This adds a checks for destroy!=NULL and adds a missing release().
This is not changing kvm_destroy_devices() as devices with defined
release() should have been removed from the KVM devices list by then.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 852b6d57dc7fa378019786fa84727036e56839ea Version: 852b6d57dc7fa378019786fa84727036e56839ea Version: 852b6d57dc7fa378019786fa84727036e56839ea Version: 852b6d57dc7fa378019786fa84727036e56839ea Version: 852b6d57dc7fa378019786fa84727036e56839ea |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "170465715a60cbb7876e6b961b21bd3225469da8",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "3616776bc51cd3262bb1be60cc01c72e0a1959cf",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "e91665fbbf3ccb268b268a7d71a6513538d813ac",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "d4a5a79b780891c5cbdfdc6124d46fdf8d13dba1",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
},
{
"lessThan": "e8bc2427018826e02add7b0ed0fc625a60390ae5",
"status": "affected",
"version": "852b6d57dc7fa378019786fa84727036e56839ea",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"virt/kvm/kvm_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.10"
},
{
"lessThan": "3.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.58",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.15",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "5.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.210",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.134",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.58",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.15",
"versionStartIncluding": "3.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19",
"versionStartIncluding": "3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don\u0027t null dereference ops-\u003edestroy\n\nA KVM device cleanup happens in either of two callbacks:\n1) destroy() which is called when the VM is being destroyed;\n2) release() which is called when a device fd is closed.\n\nMost KVM devices use 1) but Book3s\u0027s interrupt controller KVM devices\n(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during\nthe machine execution. The error handling in kvm_ioctl_create_device()\nassumes destroy() is always defined which leads to NULL dereference as\ndiscovered by Syzkaller.\n\nThis adds a checks for destroy!=NULL and adds a missing release().\n\nThis is not changing kvm_destroy_devices() as devices with defined\nrelease() should have been removed from the KVM devices list by then."
}
],
"providerMetadata": {
"dateUpdated": "2025-06-19T12:56:21.639Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/170465715a60cbb7876e6b961b21bd3225469da8"
},
{
"url": "https://git.kernel.org/stable/c/3616776bc51cd3262bb1be60cc01c72e0a1959cf"
},
{
"url": "https://git.kernel.org/stable/c/e91665fbbf3ccb268b268a7d71a6513538d813ac"
},
{
"url": "https://git.kernel.org/stable/c/d4a5a79b780891c5cbdfdc6124d46fdf8d13dba1"
},
{
"url": "https://git.kernel.org/stable/c/e8bc2427018826e02add7b0ed0fc625a60390ae5"
}
],
"title": "KVM: Don\u0027t null dereference ops-\u003edestroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49568",
"datePublished": "2025-02-26T02:23:12.722Z",
"dateReserved": "2025-02-26T02:21:30.410Z",
"dateUpdated": "2025-06-19T12:56:21.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-49568\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-26T07:01:32.517\",\"lastModified\":\"2025-03-10T21:11:32.760\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: Don\u0027t null dereference ops-\u003edestroy\\n\\nA KVM device cleanup happens in either of two callbacks:\\n1) destroy() which is called when the VM is being destroyed;\\n2) release() which is called when a device fd is closed.\\n\\nMost KVM devices use 1) but Book3s\u0027s interrupt controller KVM devices\\n(XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during\\nthe machine execution. The error handling in kvm_ioctl_create_device()\\nassumes destroy() is always defined which leads to NULL dereference as\\ndiscovered by Syzkaller.\\n\\nThis adds a checks for destroy!=NULL and adds a missing release().\\n\\nThis is not changing kvm_destroy_devices() as devices with defined\\nrelease() should have been removed from the KVM devices list by then.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: No desreferenciar ops-\u0026gt;destroy Una depuraci\u00f3n de dispositivo KVM ocurre en cualquiera de dos devoluciones de llamada: 1) destroy() que se llama cuando se est\u00e1 destruyendo la VM; 2) release() que se llama cuando se cierra un fd de dispositivo. La mayor\u00eda de los dispositivos KVM usan 1) pero los dispositivos KVM del controlador de interrupciones de Book3s (XICS, XIVE, XIVE-native) usan 2) ya que necesitan cerrarse y volver a abrir durante la ejecuci\u00f3n de la m\u00e1quina. La gesti\u00f3n de errores en kvm_ioctl_create_device() asume que destroy() siempre est\u00e1 definido, lo que lleva a una desreferencia NULL como lo descubri\u00f3 Syzkaller. Esto agrega verificaciones para destroy!=NULL y agrega un release() faltante. Esto no est\u00e1 cambiando kvm_destroy_devices() ya que los dispositivos con release() definido deber\u00edan haber sido eliminados de la lista de dispositivos KVM para entonces.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.4.210\",\"matchCriteriaId\":\"769A1563-4E73-4FA2-BDEB-9DBD40989582\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.134\",\"matchCriteriaId\":\"4B697B47-6B36-47E0-95DC-054EC4633DEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.58\",\"matchCriteriaId\":\"13CF20C8-4DA9-4A21-AD13-7A5C22E5FB05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.18.15\",\"matchCriteriaId\":\"EAD6B571-194C-43A2-A4AB-F68F869D13BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A8C30C2D-F82D-4D37-AB48-D76ABFBD5377\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/170465715a60cbb7876e6b961b21bd3225469da8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3616776bc51cd3262bb1be60cc01c72e0a1959cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d4a5a79b780891c5cbdfdc6124d46fdf8d13dba1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e8bc2427018826e02add7b0ed0fc625a60390ae5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e91665fbbf3ccb268b268a7d71a6513538d813ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}