CVE-2022-48916 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix double list_add when enabling VMD in scalable mode

When enabling VMD and IOMMU scalable mode, the following kernel panic call trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids CPU) during booting:

pci 0000:59:00.5: Adding to iommu group 42 ... vmd 0000:59:00.5: PCI host bridge to bus 10000:80 pci 10000:80:01.0: [8086:352a] type 01 class 0x060400
pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]
pci 10000:80:01.0: enabling Extended Tags pci 10000:80:01.0: PME# supported from D0 D3hot D3cold pci 10000:80:01.0: DMAR: Setup RID2PASID failed pci 10000:80:01.0: Failed to add to iommu group 42: -16 pci 10000:80:03.0: [8086:352b] type 01 class 0x060400
pci 10000:80:03.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]
pci 10000:80:03.0: enabling Extended Tags pci 10000:80:03.0: PME# supported from D0 D3hot D3cold ------------[ cut here ]------------
kernel BUG at lib/list_debug.c:29! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.17.0-rc3+ #7 Hardware name: Lenovo ThinkSystem SR650V3/SB27A86647, BIOS ESE101Y-1.00 01/13/2022 Workqueue: events work_for_cpu_fn RIP: 0010:__list_add_valid.cold+0x26/0x3f Code: 9a 4a ab ff 4c 89 c1 48 c7 c7 40 0c d9 9e e8 b9 b1 fe ff 0f 0b 48 89 f2 4c 89 c1 48 89 fe 48 c7 c7 f0 0c d9 9e e8 a2 b1 fe ff 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 98 0c d9 9e e8 8b b1 fe RSP: 0000:ff5ad434865b3a40 EFLAGS: 00010246 RAX: 0000000000000058 RBX: ff4d61160b74b880 RCX: ff4d61255e1fffa8 RDX: 0000000000000000 RSI: 00000000fffeffff RDI: ffffffff9fd34f20 RBP: ff4d611d8e245c00 R08: 0000000000000000 R09: ff5ad434865b3888 R10: ff5ad434865b3880 R11: ff4d61257fdc6fe8 R12: ff4d61160b74b8a0 R13: ff4d61160b74b8a0 R14: ff4d611d8e245c10 R15: ff4d611d8001ba70 FS: 0000000000000000(0000) GS:ff4d611d5ea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ff4d611fa1401000 CR3: 0000000aa0210001 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: intel_pasid_alloc_table+0x9c/0x1d0 dmar_insert_one_dev_info+0x423/0x540 ? device_to_iommu+0x12d/0x2f0 intel_iommu_attach_device+0x116/0x290 __iommu_attach_device+0x1a/0x90 iommu_group_add_device+0x190/0x2c0 __iommu_probe_device+0x13e/0x250 iommu_probe_device+0x24/0x150 iommu_bus_notifier+0x69/0x90 blocking_notifier_call_chain+0x5a/0x80 device_add+0x3db/0x7b0 ? arch_memremap_can_ram_remap+0x19/0x50 ? memremap+0x75/0x140 pci_device_add+0x193/0x1d0 pci_scan_single_device+0xb9/0xf0 pci_scan_slot+0x4c/0x110 pci_scan_child_bus_extend+0x3a/0x290 vmd_enable_domain.constprop.0+0x63e/0x820 vmd_probe+0x163/0x190 local_pci_probe+0x42/0x80 work_for_cpu_fn+0x13/0x20 process_one_work+0x1e2/0x3b0 worker_thread+0x1c4/0x3a0 ? rescuer_thread+0x370/0x370 kthread+0xc7/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Modules linked in: ---[ end trace 0000000000000000 ]---
... Kernel panic - not syncing: Fatal exception Kernel Offset: 0x1ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]---

The following 'lspci' output shows devices '10000:80:*' are subdevices of the VMD device 0000:59:00.5:

$ lspci ... 0000:59:00.5 RAID bus controller: Intel Corporation Volume Management Device NVMe RAID Controller (rev 20) ... 10000:80:01.0 PCI bridge: Intel Corporation Device 352a (rev 03) 10000:80:03.0 PCI bridge: Intel Corporation Device 352b (rev 03) 10000:80:05.0 PCI bridge: Intel Corporation Device 352c (rev 03) 10000:80:07.0 PCI bridge: Intel Corporation Device 352d (rev 03) 10000:81:00.0 Non-Volatile memory controller: Intel Corporation NVMe Datacenter SSD [3DNAND, Beta Rock Controller]
10000:82:00 ---truncated---

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/11/2025

The vulnerability described in CVE-2022-48916 represents a critical double list addition issue within the Linux kernel's IOMMU (Input-Output Memory Management Unit) subsystem, specifically affecting the VT-d (Virtualization Technology for Directed I/O) implementation when enabling VMD (Volume Management Device) in scalable mode. This flaw manifests as a kernel panic during system boot on platforms utilizing Sapphire Rapids CPUs, particularly the Eagle Stream platform, where the kernel encounters a fatal exception when attempting to manage IOMMU groups for PCI devices under VMD control. The technical root cause lies in improper handling of list operations within the kernel's memory management subsystem, specifically in the dmar_insert_one_dev_info function which is responsible for inserting device information into IOMMU domain structures.

The vulnerability operates through a classic double list insertion pattern where the same list node is added twice to a linked list structure, triggering a kernel panic in the list validation routines located in lib/list_debug.c. This condition occurs when the kernel attempts to add PCI devices under VMD control to IOMMU groups, specifically failing at the intel_pasid_alloc_table function which is part of the IOMMU pasid (Process Address Space Identifier) table allocation process. The kernel panic trace reveals that the system attempts to call __list_add_valid.cold function which detects the invalid list state and triggers a kernel BUG, resulting in an immediate system halt.

This vulnerability directly maps to CWE-119 (Improper Access to Memory) and CWE-457 (Use of Uninitialized Variable) within the Common Weakness Enumeration framework, as the improper list management leads to memory corruption and undefined behavior. From an ATT&CK perspective, this vulnerability falls under T1068 (Local Privilege Escalation) and T1499 (Endpoint Denial of Service) categories, as it can lead to system crashes and potentially enable privilege escalation in certain scenarios. The impact is particularly severe in enterprise server environments using Intel's VMD technology, where the system boot process fails completely, preventing normal operation and requiring manual intervention to recover.

The operational impact of this vulnerability extends beyond simple system crashes to encompass complete platform inoperability during the boot process, effectively rendering systems with affected hardware unusable until the kernel is patched or the problematic configuration is disabled. Mitigation strategies include applying the kernel patch that resolves the double list_add issue, disabling VMD scalable mode if not required, or updating to kernel versions that contain the fix. Organizations should prioritize patching systems running affected kernel versions, particularly those using Intel Sapphire Rapids processors with VMD functionality enabled, as the vulnerability represents a fundamental kernel memory management flaw that could potentially be exploited by malicious actors to cause persistent system outages or gain unauthorized access to system resources.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00210

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!