cve-2022-48700
Vulnerability from cvelistv5
Published
2024-05-03 15:12
Modified
2024-08-03 15:17
Severity ?
EPSS score ?
Summary
vfio/type1: Unpin zero pages
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-48700",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T15:31:01.372546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T15:31:14.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T15:17:55.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/vfio/vfio_iommu_type1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "578d644edc7d",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "5321908ef74f",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "5d721bf22293",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "873aefb376bb",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/vfio/vfio_iommu_type1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.146",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.68",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/type1: Unpin zero pages\n\nThere\u0027s currently a reference count leak on the zero page. We increment\nthe reference via pin_user_pages_remote(), but the page is later handled\nas an invalid/reserved page, therefore it\u0027s not accounted against the\nuser and not unpinned by our put_pfn().\n\nIntroducing special zero page handling in put_pfn() would resolve the\nleak, but without accounting of the zero page, a single user could\nstill create enough mappings to generate a reference count overflow.\n\nThe zero page is always resident, so for our purposes there\u0027s no reason\nto keep it pinned. Therefore, add a loop to walk pages returned from\npin_user_pages_remote() and unpin any zero pages."
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T05:11:34.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03"
},
{
"url": "https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986"
},
{
"url": "https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46"
},
{
"url": "https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4"
}
],
"title": "vfio/type1: Unpin zero pages",
"x_generator": {
"engine": "bippy-a5840b7849dd"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-48700",
"datePublished": "2024-05-03T15:12:16.246Z",
"dateReserved": "2024-05-03T14:55:07.145Z",
"dateUpdated": "2024-08-03T15:17:55.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-48700\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-03T16:15:08.500\",\"lastModified\":\"2024-05-06T12:44:56.377\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvfio/type1: Unpin zero pages\\n\\nThere\u0027s currently a reference count leak on the zero page. We increment\\nthe reference via pin_user_pages_remote(), but the page is later handled\\nas an invalid/reserved page, therefore it\u0027s not accounted against the\\nuser and not unpinned by our put_pfn().\\n\\nIntroducing special zero page handling in put_pfn() would resolve the\\nleak, but without accounting of the zero page, a single user could\\nstill create enough mappings to generate a reference count overflow.\\n\\nThe zero page is always resident, so for our purposes there\u0027s no reason\\nto keep it pinned. Therefore, add a loop to walk pages returned from\\npin_user_pages_remote() and unpin any zero pages.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: vfio/type1: Desanclar p\u00e1ginas cero Actualmente hay una p\u00e9rdida de recuento de referencias en la p\u00e1gina cero. Incrementamos la referencia a trav\u00e9s de pin_user_pages_remote(), pero la p\u00e1gina luego se maneja como una p\u00e1gina no v\u00e1lida/reservada, por lo tanto, no se contabiliza contra el usuario y nuestro put_pfn() no la desancla. Introducir un manejo especial de la p\u00e1gina cero en put_pfn() resolver\u00eda la fuga, pero sin tener en cuenta la p\u00e1gina cero, un solo usuario a\u00fan podr\u00eda crear suficientes asignaciones para generar un desbordamiento del recuento de referencias. La p\u00e1gina cero siempre es residente, por lo que para nuestros prop\u00f3sitos no hay motivo para mantenerla fijada. Por lo tanto, agregue un bucle para recorrer las p\u00e1ginas devueltas desde pin_user_pages_remote() y desanclar las p\u00e1ginas cero.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5321908ef74fb593e0dbc8737d25038fc86c9986\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/578d644edc7d2c1ff53f7e4d0a25da473deb4a03\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5d721bf222936f5cf3ee15ced53cc483ecef7e46\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.