fkie_cve-2022-49154
Vulnerability from fkie_nvd
Published
2025-02-26 07:00
Modified
2025-09-23 14:11
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: fix panic on out-of-bounds guest IRQ As guest_irq is coming from KVM_IRQFD API call, it may trigger crash in svm_update_pi_irte() due to out-of-bounds: crash> bt PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8" #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397 #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9 #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51 #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace [exception RIP: svm_update_pi_irte+227] RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086 RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001 RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8 RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200 R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001 R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm] #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm] #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm] RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020 RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0 R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0 R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0 ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on out-of-bounds guest IRQ), so we can just copy source from that to fix this.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0fb470eb48892e131d10aa3be6915239e65758f3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3fa2d747960521a646fc1aad7aea82e95e139a68Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a6ffdebfb6a9c2ffeed902b544b96fe67498210ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a80ced6ea514000d34bf1239d47553de0d1ee89ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e4d153d53d9648513481eb4ef8c212e7f1f8173dPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2846E51C-65CF-4CDD-BDDD-B682E3E6F21C",
              "versionEndExcluding": "5.10.110",
              "versionStartIncluding": "4.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "27C42AE8-B387-43E2-938A-E1C8B40BE6D5",
              "versionEndExcluding": "5.15.33",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B",
              "versionEndExcluding": "5.16.19",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF",
              "versionEndExcluding": "5.17.2",
              "versionStartIncluding": "5.17",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: fix panic on out-of-bounds guest IRQ\n\nAs guest_irq is coming from KVM_IRQFD API call, it may trigger\ncrash in svm_update_pi_irte() due to out-of-bounds:\n\ncrash\u003e bt\nPID: 22218  TASK: ffff951a6ad74980  CPU: 73  COMMAND: \"vcpu8\"\n #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397\n #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d\n #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d\n #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d\n #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9\n #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51\n #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace\n    [exception RIP: svm_update_pi_irte+227]\n    RIP: ffffffffc0761b53  RSP: ffffb1ba6707fd08  RFLAGS: 00010086\n    RAX: ffffb1ba6707fd78  RBX: ffffb1ba66d91000  RCX: 0000000000000001\n    RDX: 00003c803f63f1c0  RSI: 000000000000019a  RDI: ffffb1ba66db2ab8\n    RBP: 000000000000019a   R8: 0000000000000040   R9: ffff94ca41b82200\n    R10: ffffffffffffffcf  R11: 0000000000000001  R12: 0000000000000001\n    R13: 0000000000000001  R14: ffffffffffffffcf  R15: 000000000000005f\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]\n #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]\n #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]\n    RIP: 00007f143c36488b  RSP: 00007f143a4e04b8  RFLAGS: 00000246\n    RAX: ffffffffffffffda  RBX: 00007f05780041d0  RCX: 00007f143c36488b\n    RDX: 00007f05780041d0  RSI: 000000004008ae6a  RDI: 0000000000000020\n    RBP: 00000000000004e8   R8: 0000000000000008   R9: 00007f05780041e0\n    R10: 00007f0578004560  R11: 0000000000000246  R12: 00000000000004e0\n    R13: 000000000000001a  R14: 00007f1424001c60  R15: 00007f0578003bc0\n    ORIG_RAX: 0000000000000010  CS: 0033  SS: 002b\n\nVmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on\nout-of-bounds guest IRQ), so we can just copy source from that to fix\nthis."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: SVM: se corrige el p\u00e1nico en la IRQ de invitado fuera de los l\u00edmites Como guest_irq proviene de la llamada API KVM_IRQFD, puede provocar un bloqueo en svm_update_pi_irte() debido a fuera de los l\u00edmites: crash\u0026gt; bt PID: 22218 TAREA: ffff951a6ad74980 CPU: 73 COMANDO: \"vcpu8\" #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397 #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d #3 [ffffb1ba6707fb70] oops_end en ffffffff85623c0d #4 [ffffb1ba6707fb90] no_context en ffffffff856692c9 #5 [ffffb1ba6707fbf8] exc_page_fault en ffffffff85f95b51 #6 [ffffb1ba6707fc50] asm_exc_page_fault en ffffffff86000ace [excepci\u00f3n RIP: svm_update_pi_irte+227] RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086 RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001 RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8 RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200 R10: ffffffffffffffcf R11: 0000000000000001 R12: 00000000000000001 R13: 0000000000000001 R14: ffffffffffffffcf R15: 0000000000000005f ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffb1ba6707fdb8] actualizaci\u00f3n de enrutamiento irq kvm en ffffffffc09f19a1 [kvm] #8 [ffffb1ba6707fde0] enrutamiento irq kvm_establecido en ffffffffc09f2133 [kvm] #9 [ffffb1ba6707fe18] kvm_vm_ioctl en ffffffffc09ef544 [kvm] RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020 RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0 R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0 R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0 ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b Vmx ha solucionado esto en el commit 3a8b0677fc61 (KVM: VMX: No BUG() en IRQ de invitado fuera de los l\u00edmites), por lo que podemos simplemente copiar la fuente de all\u00ed para solucionarlo."
    }
  ],
  "id": "CVE-2022-49154",
  "lastModified": "2025-09-23T14:11:41.083",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T07:00:52.627",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0fb470eb48892e131d10aa3be6915239e65758f3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3fa2d747960521a646fc1aad7aea82e95e139a68"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a6ffdebfb6a9c2ffeed902b544b96fe67498210e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a80ced6ea514000d34bf1239d47553de0d1ee89e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e4d153d53d9648513481eb4ef8c212e7f1f8173d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-617"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.