Since both vaddr and vm_pgoff are controllable by the user-mode process, writing may exceed the previously mapped guest memory space and trigger exceptions such as UAF.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2096819]
This was fixed for Fedora with the 5.16.19 stable kernel updates.
This bug was introduced in kernel upstream version 5.2 with commit [1]. For distros and stable, Paolo Bonzini sent an inline assembly patch that updates the gPTE using a valid userspace address [2]. With the same method, Sean Christopherson and Peter Zijlstra introduced macros for CMPXCHG and replaced cmpxchg_gpte() with __try_cmpxchg_user() [3]. [1] https://github.com/torvalds/linux/commit/bd53cb35a3e9adb73a834a36586e9ad80e877767 [2] https://github.com/torvalds/linux/commit/2a8859f373b0a86f0ece8ec8312607eacf12485d [3] https://github.com/torvalds/linux/commit/f122dfe4476890d60b8c679128cd2259ec96a24c
I suggest using the simpler fix at upstream commit 2a8859f373b0a86f0ece8ec8312607eacf12485d for z-stream.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8686 https://access.redhat.com/errata/RHSA-2022:8686
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8673 https://access.redhat.com/errata/RHSA-2022:8673
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:8685 https://access.redhat.com/errata/RHSA-2022:8685
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:8809 https://access.redhat.com/errata/RHSA-2022:8809
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2022:8831 https://access.redhat.com/errata/RHSA-2022:8831
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:8940 https://access.redhat.com/errata/RHSA-2022:8940
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2022:8941 https://access.redhat.com/errata/RHSA-2022:8941
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2022:8989 https://access.redhat.com/errata/RHSA-2022:8989
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8973 https://access.redhat.com/errata/RHSA-2022:8973
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8974 https://access.redhat.com/errata/RHSA-2022:8974
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:9082 https://access.redhat.com/errata/RHSA-2022:9082
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1158
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days