{ "threat_severity" : "Low", "public_date" : "2025-02-26T00:00:00Z", "bugzilla" : { "description" : "kernel: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)", "id" : "2348183", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348183" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nx86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)\nSet the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',\ni.e. to KVM's historical uABI size. When saving FPU state for usersapce,\nKVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if\nthe host doesn't support XSAVE. Setting the XSAVE header allows the VM\nto be migrated to a host that does support XSAVE without the new host\nhaving to handle FPU state that may or may not be compatible with XSAVE.\nSetting the uABI size to the host's default size results in out-of-bounds\nwrites (setting the FP+SSE bits) and data corruption (that is thankfully\ncaught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.\nWARN if the default size is larger than KVM's historical uABI size; all\nfeatures that can push the FPU size beyond the historical size must be\nopt-in.\n==================================================================\nBUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130\nRead of size 8 at addr ffff888011e33a00 by task qemu-build/681\nCPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1\nHardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010\nCall Trace:\n\ndump_stack_lvl+0x34/0x45\nprint_report.cold+0x45/0x575\nkasan_report+0x9b/0xd0\nfpu_copy_uabi_to_guest_fpstate+0x86/0x130\nkvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]\nkvm_vcpu_ioctl+0x47f/0x7b0 [kvm]\n__x64_sys_ioctl+0x5de/0xc90\ndo_syscall_64+0x31/0x50\nentry_SYSCALL_64_after_hwframe+0x44/0xae\n\nAllocated by task 0:\n(stack is not available)\nThe buggy address belongs to the object at ffff888011e33800\nwhich belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 0 bytes to the right of\n512-byte region [ffff888011e33800, ffff888011e33a00)\nThe buggy address belongs to the physical page:\npage:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30\nhead:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0\nflags: 0x4000000000010200(slab|head|zone=1)\nraw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80\nraw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n^\nffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n==================================================================\nDisabling lock debugging due to kernel taint" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-09-13T00:00:00Z", "advisory" : "RHSA-2022:6460", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-372.26.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date" : "2022-09-13T00:00:00Z", "advisory" : "RHSA-2022:6460", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package" : "kernel-0:4.18.0-372.26.1.el8_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49557\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49557\nhttps://lore.kernel.org/linux-cve-announce/2025022617-CVE-2022-49557-f9a3@gregkh/T" ], "name" : "CVE-2022-49557", "csaw" : false }