CVE-2022-49788 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()
`struct vmci_event_qp` allocated by qp_notify_peer() contains padding, which may carry uninitialized data to the userspace, as observed by KMSAN:
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121 instrument_copy_to_user ./include/linux/instrumented.h:121 _copy_to_user+0x5f/0xb0 lib/usercopy.c:33 copy_to_user ./include/linux/uaccess.h:169 vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431 vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925 vfs_ioctl fs/ioctl.c:51 ...
Uninit was stored to memory at: kmemdup+0x74/0xb0 mm/util.c:131 dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271 vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339 qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750 vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940 vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488 vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927 ...
Local variable ev created at: qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456 qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662 qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
Bytes 28-31 of 48 are uninitialized Memory access of size 48 starts at ffff888035155e00 Data copied to user address 0000000020000100
Use memset() to prevent the infoleaks.
Also speculatively fix qp_notify_peer_local(), which may suffer from the same problem.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/07/2025
The vulnerability identified as CVE-2022-49788 resides within the Linux kernel's VMware VMCI (Virtual Machine Communication Interface) subsystem, specifically in the vmci_host_do_receive_datagram function. This issue represents a information disclosure vulnerability that occurs when kernel memory containing uninitialized data is inadvertently exposed to userspace applications. The flaw manifests through the allocation of a struct vmci_event_qp data structure by the qp_notify_peer() function, which contains padding bytes that may retain uninitialized values from previous memory operations. The vulnerability was detected through KMSAN (Kernel Memory Sanitizer) analysis, which identified that uninitialized memory was being copied to userspace via the instrument_copy_to_user function, creating a potential avenue for attackers to extract sensitive kernel information.
The technical root cause stems from improper memory initialization within the kernel's VMCI implementation. When the qp_notify_peer() function allocates memory for the vmci_event_qp structure, it fails to properly clear all bytes of the allocated structure, leaving padding bytes uninitialized. These uninitialized bytes, particularly bytes 28-31 of the 48-byte structure, contain data that was previously stored in the same memory location and may include sensitive kernel information such as stack contents, heap data, or other kernel metadata. The vulnerability path traces through multiple kernel functions including dg_dispatch_as_host, vmci_datagram_dispatch, and qp_notify_peer, where the uninitialized structure is eventually copied to userspace through the vmci_host_do_receive_datagram function. This represents a classic information leak pattern where kernel memory layout information is exposed to unprivileged userspace processes.
The operational impact of this vulnerability is significant as it allows for potential information disclosure attacks that could aid in further exploitation attempts. An attacker with access to the VMCI interface could potentially extract kernel memory contents, which might reveal information about kernel memory layout, stack contents, or other sensitive data that could be leveraged for privilege escalation or bypassing security mechanisms. The vulnerability affects systems running Linux kernels with VMware VMCI support, particularly those that utilize virtualized environments where VMCI is enabled. This type of information leak can be particularly dangerous in environments where kernel memory addresses or sensitive data patterns could be used to facilitate more sophisticated attacks such as kernel exploit development or side-channel attacks. The vulnerability also demonstrates a failure in proper memory management practices within kernel code, where the assumption that memory allocation functions initialize all bytes is incorrect.
The fix for this vulnerability involves implementing proper memory initialization using memset() to ensure that all bytes of the allocated structure are cleared before being copied to userspace. This approach directly addresses the root cause by guaranteeing that no uninitialized data is exposed to userspace applications, thereby preventing the information leak. The patch also includes a speculative fix for qp_notify_peer_local() function, which may suffer from the same uninitialized memory exposure issue. This remediation follows established security practices and aligns with the principle of least privilege and secure coding standards. The fix demonstrates the importance of proper memory initialization in kernel space, where every byte of allocated memory must be explicitly initialized to prevent information disclosure vulnerabilities. This vulnerability and its resolution are consistent with common patterns found in the CWE (Common Weakness Enumeration) database under weakness category 127, which covers "Information Exposure Through Uninitialized Memory" and also relates to CWE-1238, which covers "Information Exposure Through Kernel Memory".
The ATT&CK framework categorizes this vulnerability under the technique of Information Disclosure (T1005) and potentially Information Gathering (T1082) as attackers could use the information leak to gather intelligence about the target system. This vulnerability also represents a potential pathway for privilege escalation attacks, as the leaked information could be used to construct more sophisticated exploits. The fix implementation demonstrates best practices for kernel security and aligns with the defense-in-depth strategy that organizations should employ when securing kernel-level components. The vulnerability serves as a reminder of the critical importance of proper memory management in kernel space and the necessity of thorough testing with security analysis tools like KMSAN to detect such subtle information disclosure issues that may not be apparent through conventional testing methods.