CVE-2022-49884 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

KVM: Initialize gfn_to_pfn_cache locks in dedicated helper

Move the gfn_to_pfn_cache lock initialization to another helper and call the new helper during VM/vCPU creation. There are race conditions possible due to kvm_gfn_to_pfn_cache_init()'s ability to re-initialize the cache's locks.

For example: a race between ioctl(KVM_XEN_HVM_EVTCHN_SEND) and kvm_gfn_to_pfn_cache_init() leads to a corrupted shinfo gpc lock.

(thread 1) | (thread 2) | kvm_xen_set_evtchn_fast | read_lock_irqsave(&gpc->lock, ...) | | kvm_gfn_to_pfn_cache_init | rwlock_init(&gpc->lock) read_unlock_irqrestore(&gpc->lock, ...) |

Rename "cache_init" and "cache_destroy" to activate+deactivate to avoid implying that the cache really is destroyed/freed.

Note, there more races in the newly named kvm_gpc_activate() that will be addressed separately.

[sean: call out that this is a bug fix]

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 11/11/2025

The vulnerability described in CVE-2022-49884 affects the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically within the gfn_to_pfn_cache locking mechanism. This issue represents a critical race condition that can lead to memory corruption and system instability when multiple threads attempt concurrent operations on virtual machine memory mappings. The vulnerability stems from improper initialization sequencing of cache locks during virtual machine and vCPU creation processes, creating opportunities for concurrent access violations that compromise system integrity.

The technical flaw manifests in the improper handling of gfn_to_pfn_cache lock initialization within the KVM subsystem. When kvm_gfn_to_pfn_cache_init() is called, it has the capability to re-initialize cache locks, creating a window where race conditions can occur between different kernel threads executing concurrently. The specific scenario involves a race condition between ioctl(KVM_XEN_HVM_EVTCHN_SEND) operations and kvm_gfn_to_pfn_cache_init() calls, where thread 1 performs read_lock_irqsave operations on the gpc lock while thread 2 executes rwlock_init on the same lock, leading to corrupted shared information structures. This particular race condition affects the shinfo gpc lock structure, which serves as a critical synchronization primitive for managing guest physical to kernel virtual page frame number mappings.

The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and system compromise within virtualized environments. Attackers could exploit this race condition to corrupt kernel memory structures, potentially leading to denial of service conditions or unauthorized access to virtual machine resources. The vulnerability affects systems running Linux kernels with KVM virtualization enabled, particularly those utilizing Xen hypervisor integration features through KVM_XEN_HVM_EVTCHN_SEND ioctl operations. The race condition creates a scenario where concurrent access to shared memory structures can result in undefined behavior and system instability, making it particularly dangerous in production virtualization environments where multiple threads might simultaneously access virtual machine memory mappings.

Security mitigations for this vulnerability involve applying the kernel patch that moves gfn_to_pfn_cache lock initialization to a dedicated helper function and ensures proper sequencing during VM/vCPU creation. The fix addresses the race condition by ensuring locks are properly initialized before concurrent access can occur, and renames the cache initialization and destruction functions to activate and deactivate to better reflect their actual behavior. The patch specifically addresses the race between the read_lock_irqsave operations and rwlock_init calls by ensuring proper lock ordering and initialization sequence. Organizations should prioritize applying this kernel update to protect against potential exploitation, particularly in environments running virtualized workloads with Xen hypervisor integration. This vulnerability aligns with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and could potentially map to ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) through privilege escalation vectors, though the primary risk lies in the kernel-level memory corruption rather than user-space exploitation. The fix represents a fundamental correction to the kernel's virtualization subsystem locking mechanisms, ensuring proper resource management during virtual machine lifecycle operations.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00098

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!