CVE-2022-48764 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Free kvm_cpuid_entry2 array on post-KVM_RUN KVM_SET_CPUID{,2}
Free the "struct kvm_cpuid_entry2" array on successful post-KVM_RUN KVM_SET_CPUID{,2} to fix a memory leak, the callers of kvm_set_cpuid()
free the array only on failure.
BUG: memory leak unreferenced object 0xffff88810963a800 (size 2048): comm "syz-executor025", pid 3610, jiffies 4294944928 (age 8.080s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 ................ 47 65 6e 75 6e 74 65 6c 69 6e 65 49 00 00 00 00 GenuntelineI.... backtrace: [] kmalloc_node include/linux/slab.h:604 [inline]
[] kvmalloc_node+0x3e/0x100 mm/util.c:580
[] kvmalloc include/linux/slab.h:732 [inline]
[] vmemdup_user+0x22/0x100 mm/util.c:199
[] kvm_vcpu_ioctl_set_cpuid2+0x8f/0xf0 arch/x86/kvm/cpuid.c:423
[] kvm_arch_vcpu_ioctl+0xb99/0x1e60 arch/x86/kvm/x86.c:5251
[] kvm_vcpu_ioctl+0x4ad/0x950 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4066
[] vfs_ioctl fs/ioctl.c:51 [inline]
[] __do_sys_ioctl fs/ioctl.c:874 [inline]
[] __se_sys_ioctl fs/ioctl.c:860 [inline]
[] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860
[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[] entry_SYSCALL_64_after_hwframe+0x44/0xae
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/30/2024
The vulnerability identified as CVE-2022-48764 represents a memory leak within the Linux kernel's KVM (Kernel-based Virtual Machine) implementation specifically affecting x86 virtualization environments. This issue occurs in the handling of CPUID configuration operations where the kernel fails to properly release allocated memory structures after successful execution of KVM_SET_CPUID operations. The memory leak manifests when the kvm_set_cpuid() function is called through KVM_RUN operations, creating a scenario where memory allocated for struct kvm_cpuid_entry2 arrays is only freed upon failure conditions rather than during normal successful operation paths. The vulnerability impacts the kernel's memory management system by leaving unreferenced memory blocks that cannot be reclaimed by the system's memory allocator, leading to progressive memory consumption over time.
The technical flaw stems from an incomplete memory management pattern within the KVM subsystem's CPUID handling code. When KVM_SET_CPUID{,2} operations execute successfully post-KVM_RUN, the system allocates memory for CPUID entry structures but fails to free this memory in the success path. The memory leak occurs at the vmemdup_user function call within kvm_vcpu_ioctl_set_cpuid2, where the kernel allocates memory for CPUID data but does not provide proper cleanup for successful operations. This pattern violates standard memory management practices and creates a persistent resource leak that can accumulate over time, particularly in virtualized environments where KVM operations occur frequently. The vulnerability is classified as a memory leak under CWE-401, which specifically addresses improper management of memory resources.
The operational impact of this vulnerability extends beyond simple memory consumption issues to potentially affect system stability and performance in virtualized environments. As the memory leak accumulates, it can lead to gradual system resource degradation where available memory becomes increasingly constrained, potentially causing system slowdowns, application failures, or even system crashes under extreme conditions. In cloud and server virtualization environments where multiple VMs operate simultaneously, this vulnerability can compound memory pressure across the entire host system, affecting overall performance and resource allocation. The leak affects both the guest operating systems running within KVM virtual machines and the host system's memory management, creating a cascading effect that can impact multiple running processes and services.
Mitigation strategies for CVE-2022-48764 require immediate kernel updates from vendors who have addressed this memory leak in their KVM implementations. System administrators should prioritize applying security patches that include the fix for proper memory cleanup in the KVM CPUID handling code, typically involving modifications to the kvm_set_cpuid() function to ensure memory allocation is freed regardless of operation success or failure. Additionally, monitoring systems should be implemented to track memory consumption patterns in virtualized environments, enabling early detection of potential memory leak impacts. The fix typically involves adding proper cleanup code paths that ensure struct kvm_cpuid_entry2 arrays are freed in all execution branches, including successful post-KVM_RUN operations, aligning with ATT&CK technique T1484 for resource exhaustion attacks and ensuring proper memory management practices are maintained throughout the kernel's virtualization subsystem.