CVE-2022-48853
Virtio SCSI swiotlb DMA_INFO LEAK
Description
In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros. Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce.
INFO
Published Date :
July 16, 2024, 1:15 p.m.
Last Modified :
July 23, 2024, 5:05 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2022-48853.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2022-48853 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2022-48853 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jul. 23, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Changed Reference Type https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e No Types Assigned https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e Patch Changed Reference Type https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026 No Types Assigned https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026 Patch Changed Reference Type https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63 No Types Assigned https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63 Patch Changed Reference Type https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192 No Types Assigned https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192 Patch Changed Reference Type https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534 No Types Assigned https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534 Patch Changed Reference Type https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753 No Types Assigned https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753 Patch Changed Reference Type https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f No Types Assigned https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f Patch Changed Reference Type https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e No Types Assigned https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e Patch Added CWE NIST NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 4.9.320 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.14.281 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.245 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.189 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.110 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.29 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 5.16.15 -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Jul. 16, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros. Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce. Added Reference kernel.org https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2022-48853 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2022-48853
weaknesses.