CVE-2022-49557 Information
Description
In the Linux kernel the following vulnerability has been resolved:
x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)
Set the starting uABI size of KVM’s guest FPU to ‘struct kvm_xsave’ i.e. to KVM’s historical uABI size. When saving FPU state for usersapce KVM (well now the FPU) sets the FP+SSE bits in the XSAVE header even if the host doesn’t support XSAVE. Setting the XSAVE header allows the VM to be migrated to a host that does support XSAVE without the new host having to handle FPU state that may or may not be compatible with XSAVE.
Setting the uABI size to the host’s default size results in out-of-bounds writes (setting the FP+SSE bits) and data corruption (that is thankfully caught by KASAN) when running on hosts without XSAVE e.g. on Core2 CPUs.
WARN if the default size is larger than KVM’s historical uABI size; all features that can push the FPU size beyond the historical size must be opt-in.
==================================================================
BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130
Read of size 8 at addr ffff888011e33a00 by task qemu-build/681
CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 1
Hardware name: /DG35EC BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010
Call Trace:
ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint
Reference
https://git.kernel.org/stable/c/9cf15ebb7dedfe2f27120743b8ea8441c99ac73c https://git.kernel.org/stable/c/c181acbd1a427859d5fda543b95fbae28f7f6068 https://git.kernel.org/stable/c/d187ba5312307d51818beafaad87d28a7d939adf
Share on: