CVE-2022-48943 in Linux
Summary
by MITRE • 08/22/2024
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: make apf token non-zero to fix bug
In current async pagefault logic, when a page is ready, KVM relies on kvm_arch_can_dequeue_async_page_present() to determine whether to deliver a READY event to the Guest. This function test token value of struct kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a READY event is finished by Guest. If value is zero meaning that a READY event is done, so the KVM can deliver another. But the kvm_arch_setup_async_pf() may produce a valid token with zero value, which is confused with previous mention and may lead the loss of this READY event.
This bug may cause task blocked forever in Guest: INFO: task stress:7532 blocked for more than 1254 seconds. Not tainted 5.10.0 #16 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:stress state:D stack: 0 pid: 7532 ppid: 1409 flags:0x00000080 Call Trace: __schedule+0x1e7/0x650 schedule+0x46/0xb0 kvm_async_pf_task_wait_schedule+0xad/0xe0 ? exit_to_user_mode_prepare+0x60/0x70 __kvm_handle_async_pf+0x4f/0xb0 ? asm_exc_page_fault+0x8/0x30 exc_page_fault+0x6f/0x110 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x402d00 RSP: 002b:00007ffd31912500 EFLAGS: 00010206 RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0 RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0 RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086 R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000 R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/11/2024
The vulnerability described in CVE-2022-48943 resides within the Linux kernel's KVM virtualization subsystem, specifically affecting the x86 memory management unit implementation. This issue manifests in the asynchronous page fault handling mechanism where the kernel's virtualization layer fails to properly distinguish between valid and invalid page fault tokens, creating a potential deadlock condition in guest operating systems. The root cause lies in the kvm_arch_setup_async_pf() function which can generate a valid token with a zero value, confusing the system's state tracking mechanism that relies on token values to manage page fault delivery sequences.
The technical flaw occurs in the interaction between the kernel's virtualization infrastructure and guest operating system page fault handling. When a page becomes available, KVM uses the kvm_arch_can_dequeue_async_page_present() function to determine if a READY event should be delivered to the guest. This function examines the token value stored in the kvm_vcpu_pv_apf_data structure, which must be explicitly reset to zero by the guest kernel upon completion of a READY event. However, when the kvm_arch_setup_async_pf() function creates a token with a zero value, this creates ambiguity in the state machine since zero also represents the completed state, leading to incorrect decision-making in the page fault delivery logic.
The operational impact of this vulnerability is severe as it can cause guest operating systems to become permanently blocked, resulting in system hangs and unresponsiveness. The kernel log trace demonstrates a task named "stress" that remains blocked for over 1254 seconds, indicating the system has entered a deadlock state where the asynchronous page fault handling mechanism has failed to properly process page fault events. This condition prevents the guest from making progress in memory management operations, effectively rendering the virtual machine unresponsive to normal operations. The vulnerability affects systems running kernel versions prior to the fix, particularly those utilizing KVM virtualization with async page fault support, and represents a critical reliability issue in virtualized environments.
The mitigation strategy involves ensuring that the async page fault token initialization properly distinguishes between valid and invalid states, preventing the zero value from being interpreted as both a valid token and a completion indicator. This fix aligns with the CWE-691 weakness category related to insufficient control flow management and addresses the ATT&CK technique T1489 which covers data manipulation and system integrity compromise through kernel-level vulnerabilities. The resolution requires modifying the token generation logic to ensure that valid tokens cannot have zero values, thereby maintaining clear state boundaries in the asynchronous page fault handling mechanism. This approach prevents the confusion that leads to the permanent blocking condition while preserving the intended functionality of the async page fault system.
This vulnerability demonstrates the complexity of virtualization layer security and the critical importance of proper state management in kernel subsystems. The fix ensures that the asynchronous page fault mechanism maintains correct state transitions by preventing the ambiguous zero token value that caused the deadlock condition. The resolution addresses the fundamental issue of token value interpretation in the KVM subsystem's memory management, preventing guest operating systems from becoming permanently blocked during page fault processing operations. Organizations utilizing KVM virtualization should apply the kernel patches addressing this vulnerability to prevent potential system hangs and maintain virtual machine responsiveness. The fix represents a critical improvement to the virtualization infrastructure's reliability and demonstrates the importance of careful state management in complex kernel subsystems that handle asynchronous operations.