CVE-2022-49557 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)
Set the starting uABI size of KVM's guest FPU to 'struct kvm_xsave', i.e. to KVM's historical uABI size. When saving FPU state for usersapce, KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if the host doesn't support XSAVE. Setting the XSAVE header allows the VM to be migrated to a host that does support XSAVE without the new host having to handle FPU state that may or may not be compatible with XSAVE.
Setting the uABI size to the host's default size results in out-of-bounds writes (setting the FP+SSE bits) and data corruption (that is thankfully caught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.
WARN if the default size is larger than KVM's historical uABI size; all features that can push the FPU size beyond the historical size must be opt-in.
================================================================== BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130 Read of size 8 at addr ffff888011e33a00 by task qemu-build/681 CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1 Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010 Call Trace: dump_stack_lvl+0x34/0x45 print_report.cold+0x45/0x575 kasan_report+0x9b/0xd0 fpu_copy_uabi_to_guest_fpstate+0x86/0x130 kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]
kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]
__x64_sys_ioctl+0x5de/0xc90 do_syscall_64+0x31/0x50 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 0: (stack is not available) The buggy address belongs to the object at ffff888011e33800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes to the right of 512-byte region [ffff888011e33800, ffff888011e33a00)
The buggy address belongs to the physical page: page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30 head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== Disabling lock debugging due to kernel taint
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/23/2025
The vulnerability described in CVE-2022-49557 affects the Linux kernel's handling of floating-point unit state management within KVM virtualization environments. This issue specifically targets the x86 architecture's FPU (Floating Point Unit) implementation and demonstrates a critical flaw in how KVM manages guest FPU state when migrating virtual machines between different host systems. The vulnerability stems from an incorrect initialization of the user application binary interface (uABI) size for KVM's guest FPU state, which directly impacts the compatibility and stability of virtualized environments.
The technical flaw occurs when KVM saves FPU state for user-space operations, where it incorrectly sets the FP+SSE bits in the XSAVE header even on hosts that do not support XSAVE functionality. This misconfiguration results in out-of-bounds memory writes and data corruption, particularly evident when running on older hardware such as Core2 CPUs that lack XSAVE support. The kernel's FPU subsystem attempts to use a default size that exceeds KVM's historical uABI size, leading to memory access violations that are detected and reported by KASAN (Kernel Address Sanitizer). This behavior violates the expected interface boundaries and creates a security risk through potential information disclosure or system instability.
The operational impact of this vulnerability extends beyond simple system crashes, as it affects the fundamental migration capabilities of virtual machines within KVM environments. When a virtual machine is migrated from a host without XSAVE support to one that does support it, the inconsistent FPU state handling can cause data corruption or complete system failures. The vulnerability affects virtualization workflows that depend on FPU state consistency across different host architectures and demonstrates a failure in proper interface size management. The reported KASAN error indicates that the memory corruption occurs during the fpu_copy_uabi_to_guest_fpstate function execution, where the system attempts to write beyond allocated memory boundaries.
The mitigation strategy for this vulnerability involves explicitly setting the guest FPU uABI size to match KVM's historical uABI size, specifically sizeof(struct kvm_xsave), rather than allowing it to default to the host's capabilities. This approach ensures that virtual machine FPU state remains compatible regardless of the underlying host hardware capabilities. The implementation includes warnings when the default size exceeds KVM's historical uABI size, enforcing opt-in behavior for features that could increase FPU state size beyond the established compatibility boundaries. This aligns with security best practices for maintaining predictable and stable virtualization environments while preventing potential exploitation through memory corruption vulnerabilities.
This vulnerability relates to CWE-121 and CWE-122 in the Common Weakness Enumeration catalog, which address issues related to buffer overflow conditions and heap-based buffer overflows in kernel memory management. The ATT&CK framework categorizes this under T1059.003 (Command and Scripting Interpreter: Windows Command Shell) and T1070.004 (Indicator Removal on Host: File Deletion) through potential exploitation paths involving system stability compromise and data integrity violations. The vulnerability demonstrates how virtualization layer security can be compromised through improper state management, highlighting the critical importance of maintaining proper interface boundaries in hypervisor implementations and the need for careful consideration of hardware feature compatibility in virtualized environments.