CVE-2022-48700

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48700
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48700.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48700
Related
Published
2024-05-03T16:15:08Z
Modified
2024-09-11T04:56:59.359570Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/type1: Unpin zero pages

There's currently a reference count leak on the zero page. We increment the reference via pinuserpagesremote(), but the page is later handled as an invalid/reserved page, therefore it's not accounted against the user and not unpinned by our putpfn().

Introducing special zero page handling in put_pfn() would resolve the leak, but without accounting of the zero page, a single user could still create enough mappings to generate a reference count overflow.

The zero page is always resident, so for our purposes there's no reason to keep it pinned. Therefore, add a loop to walk pages returned from pinuserpages_remote() and unpin any zero pages.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.148-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}