CVE-2022-50471 (GCVE-0-2022-50471)

Vulnerability from cvelistv5 – Published: 2025-10-04 15:16 – Updated: 2025-10-04 15:16
VLAI?
Title
xen/gntdev: Accommodate VMA splitting
Summary
In the Linux kernel, the following vulnerability has been resolved: xen/gntdev: Accommodate VMA splitting Prior to this commit, the gntdev driver code did not handle the following scenario correctly with paravirtualized (PV) Xen domains: * User process sets up a gntdev mapping composed of two grant mappings (i.e., two pages shared by another Xen domain). * User process munmap()s one of the pages. * User process munmap()s the remaining page. * User process exits. In the scenario above, the user process would cause the kernel to log the following messages in dmesg for the first munmap(), and the second munmap() call would result in similar log messages: BUG: Bad page map in process doublemap.test pte:... pmd:... page:0000000057c97bff refcount:1 mapcount:-1 \ mapping:0000000000000000 index:0x0 pfn:... ... page dumped because: bad pte ... file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0 ... Call Trace: <TASK> dump_stack_lvl+0x46/0x5e print_bad_pte.cold+0x66/0xb6 unmap_page_range+0x7e5/0xdc0 unmap_vmas+0x78/0xf0 unmap_region+0xa8/0x110 __do_munmap+0x1ea/0x4e0 __vm_munmap+0x75/0x120 __x64_sys_munmap+0x28/0x40 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x61/0xcb ... For each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG) would print out the following and trigger a general protection fault in the affected Xen PV domain: (XEN) d0v... Attempt to implicitly unmap d0's grant PTE ... (XEN) d0v... Attempt to implicitly unmap d0's grant PTE ... As of this writing, gntdev_grant_map structure's vma field (referred to as map->vma below) is mainly used for checking the start and end addresses of mappings. However, with split VMAs, these may change, and there could be more than one VMA associated with a gntdev mapping. Hence, remove the use of map->vma and rely on map->pages_vm_start for the original start address and on (map->count << PAGE_SHIFT) for the original mapping size. Let the invalidate() and find_special_page() hooks use these. Also, given that there can be multiple VMAs associated with a gntdev mapping, move the "mmu_interval_notifier_remove(&map->notifier)" call to the end of gntdev_put_map, so that the MMU notifier is only removed after the closing of the last remaining VMA. Finally, use an atomic to prevent inadvertent gntdev mapping re-use, instead of using the map->live_grants atomic counter and/or the map->vma pointer (the latter of which is now removed). This prevents the userspace from mmap()'ing (with MAP_FIXED) a gntdev mapping over the same address range as a previously set up gntdev mapping. This scenario can be summarized with the following call-trace, which was valid prior to this commit: mmap gntdev_mmap mmap (repeat mmap with MAP_FIXED over the same address range) gntdev_invalidate unmap_grant_pages (sets 'being_removed' entries to true) gnttab_unmap_refs_async unmap_single_vma gntdev_mmap (maps the shared pages again) munmap gntdev_invalidate unmap_grant_pages (no-op because 'being_removed' entries are true) unmap_single_vma (For PV domains, Xen reports that a granted page is being unmapped and triggers a general protection fault in the affected domain, if Xen was built with CONFIG_DEBUG) The fix for this last scenario could be worth its own commit, but we opted for a single commit, because removing the gntdev_grant_map structure's vma field requires guarding the entry to gntdev_mmap(), and the live_grants atomic counter is not sufficient on its own to prevent the mmap() over a pre-existing mapping.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ab31523c2fcac557226bac72cbdf5fafe01f9a26 , < 3c6a888e352283a14f37b9b433cd598a1a3a7dd0 (git)
Affected: ab31523c2fcac557226bac72cbdf5fafe01f9a26 , < 7c16d0a4e6a436b4e7c92bead3fab55aaa4c1141 (git)
Affected: ab31523c2fcac557226bac72cbdf5fafe01f9a26 , < 4fb4053d90caa9985b87ec0e0c32c66a55bdfa3a (git)
Affected: ab31523c2fcac557226bac72cbdf5fafe01f9a26 , < cdafa219ace013c594e2491158ad1b51f9923dde (git)
Affected: ab31523c2fcac557226bac72cbdf5fafe01f9a26 , < 5c13a4a0291b30191eff9ead8d010e1ca43a4d0c (git)
Create a notification for this product.
    Linux Linux Affected: 2.6.38
Unaffected: 0 , < 2.6.38 (semver)
Unaffected: 5.10.152 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/gntdev-common.h",
            "drivers/xen/gntdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3c6a888e352283a14f37b9b433cd598a1a3a7dd0",
              "status": "affected",
              "version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
              "versionType": "git"
            },
            {
              "lessThan": "7c16d0a4e6a436b4e7c92bead3fab55aaa4c1141",
              "status": "affected",
              "version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
              "versionType": "git"
            },
            {
              "lessThan": "4fb4053d90caa9985b87ec0e0c32c66a55bdfa3a",
              "status": "affected",
              "version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
              "versionType": "git"
            },
            {
              "lessThan": "cdafa219ace013c594e2491158ad1b51f9923dde",
              "status": "affected",
              "version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
              "versionType": "git"
            },
            {
              "lessThan": "5c13a4a0291b30191eff9ead8d010e1ca43a4d0c",
              "status": "affected",
              "version": "ab31523c2fcac557226bac72cbdf5fafe01f9a26",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/gntdev-common.h",
            "drivers/xen/gntdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.152",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.152",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/gntdev: Accommodate VMA splitting\n\nPrior to this commit, the gntdev driver code did not handle the\nfollowing scenario correctly with paravirtualized (PV) Xen domains:\n\n* User process sets up a gntdev mapping composed of two grant mappings\n  (i.e., two pages shared by another Xen domain).\n* User process munmap()s one of the pages.\n* User process munmap()s the remaining page.\n* User process exits.\n\nIn the scenario above, the user process would cause the kernel to log\nthe following messages in dmesg for the first munmap(), and the second\nmunmap() call would result in similar log messages:\n\n  BUG: Bad page map in process doublemap.test  pte:... pmd:...\n  page:0000000057c97bff refcount:1 mapcount:-1 \\\n    mapping:0000000000000000 index:0x0 pfn:...\n  ...\n  page dumped because: bad pte\n  ...\n  file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0\n  ...\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x46/0x5e\n   print_bad_pte.cold+0x66/0xb6\n   unmap_page_range+0x7e5/0xdc0\n   unmap_vmas+0x78/0xf0\n   unmap_region+0xa8/0x110\n   __do_munmap+0x1ea/0x4e0\n   __vm_munmap+0x75/0x120\n   __x64_sys_munmap+0x28/0x40\n   do_syscall_64+0x38/0x90\n   entry_SYSCALL_64_after_hwframe+0x61/0xcb\n   ...\n\nFor each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG)\nwould print out the following and trigger a general protection fault in\nthe affected Xen PV domain:\n\n  (XEN) d0v... Attempt to implicitly unmap d0\u0027s grant PTE ...\n  (XEN) d0v... Attempt to implicitly unmap d0\u0027s grant PTE ...\n\nAs of this writing, gntdev_grant_map structure\u0027s vma field (referred to\nas map-\u003evma below) is mainly used for checking the start and end\naddresses of mappings. However, with split VMAs, these may change, and\nthere could be more than one VMA associated with a gntdev mapping.\nHence, remove the use of map-\u003evma and rely on map-\u003epages_vm_start for\nthe original start address and on (map-\u003ecount \u003c\u003c PAGE_SHIFT) for the\noriginal mapping size. Let the invalidate() and find_special_page()\nhooks use these.\n\nAlso, given that there can be multiple VMAs associated with a gntdev\nmapping, move the \"mmu_interval_notifier_remove(\u0026map-\u003enotifier)\" call to\nthe end of gntdev_put_map, so that the MMU notifier is only removed\nafter the closing of the last remaining VMA.\n\nFinally, use an atomic to prevent inadvertent gntdev mapping re-use,\ninstead of using the map-\u003elive_grants atomic counter and/or the map-\u003evma\npointer (the latter of which is now removed). This prevents the\nuserspace from mmap()\u0027ing (with MAP_FIXED) a gntdev mapping over the\nsame address range as a previously set up gntdev mapping. This scenario\ncan be summarized with the following call-trace, which was valid prior\nto this commit:\n\n  mmap\n    gntdev_mmap\n  mmap (repeat mmap with MAP_FIXED over the same address range)\n    gntdev_invalidate\n      unmap_grant_pages (sets \u0027being_removed\u0027 entries to true)\n        gnttab_unmap_refs_async\n    unmap_single_vma\n    gntdev_mmap (maps the shared pages again)\n  munmap\n    gntdev_invalidate\n      unmap_grant_pages\n        (no-op because \u0027being_removed\u0027 entries are true)\n    unmap_single_vma (For PV domains, Xen reports that a granted page\n      is being unmapped and triggers a general protection fault in the\n      affected domain, if Xen was built with CONFIG_DEBUG)\n\nThe fix for this last scenario could be worth its own commit, but we\nopted for a single commit, because removing the gntdev_grant_map\nstructure\u0027s vma field requires guarding the entry to gntdev_mmap(), and\nthe live_grants atomic counter is not sufficient on its own to prevent\nthe mmap() over a pre-existing mapping."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-04T15:16:33.489Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3c6a888e352283a14f37b9b433cd598a1a3a7dd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c16d0a4e6a436b4e7c92bead3fab55aaa4c1141"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fb4053d90caa9985b87ec0e0c32c66a55bdfa3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdafa219ace013c594e2491158ad1b51f9923dde"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c13a4a0291b30191eff9ead8d010e1ca43a4d0c"
        }
      ],
      "title": "xen/gntdev: Accommodate VMA splitting",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50471",
    "datePublished": "2025-10-04T15:16:33.489Z",
    "dateReserved": "2025-10-04T15:13:33.466Z",
    "dateUpdated": "2025-10-04T15:16:33.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50471\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-04T16:15:43.540\",\"lastModified\":\"2025-10-06T14:56:47.823\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxen/gntdev: Accommodate VMA splitting\\n\\nPrior to this commit, the gntdev driver code did not handle the\\nfollowing scenario correctly with paravirtualized (PV) Xen domains:\\n\\n* User process sets up a gntdev mapping composed of two grant mappings\\n  (i.e., two pages shared by another Xen domain).\\n* User process munmap()s one of the pages.\\n* User process munmap()s the remaining page.\\n* User process exits.\\n\\nIn the scenario above, the user process would cause the kernel to log\\nthe following messages in dmesg for the first munmap(), and the second\\nmunmap() call would result in similar log messages:\\n\\n  BUG: Bad page map in process doublemap.test  pte:... pmd:...\\n  page:0000000057c97bff refcount:1 mapcount:-1 \\\\\\n    mapping:0000000000000000 index:0x0 pfn:...\\n  ...\\n  page dumped because: bad pte\\n  ...\\n  file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0\\n  ...\\n  Call Trace:\\n   \u003cTASK\u003e\\n   dump_stack_lvl+0x46/0x5e\\n   print_bad_pte.cold+0x66/0xb6\\n   unmap_page_range+0x7e5/0xdc0\\n   unmap_vmas+0x78/0xf0\\n   unmap_region+0xa8/0x110\\n   __do_munmap+0x1ea/0x4e0\\n   __vm_munmap+0x75/0x120\\n   __x64_sys_munmap+0x28/0x40\\n   do_syscall_64+0x38/0x90\\n   entry_SYSCALL_64_after_hwframe+0x61/0xcb\\n   ...\\n\\nFor each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG)\\nwould print out the following and trigger a general protection fault in\\nthe affected Xen PV domain:\\n\\n  (XEN) d0v... Attempt to implicitly unmap d0\u0027s grant PTE ...\\n  (XEN) d0v... Attempt to implicitly unmap d0\u0027s grant PTE ...\\n\\nAs of this writing, gntdev_grant_map structure\u0027s vma field (referred to\\nas map-\u003evma below) is mainly used for checking the start and end\\naddresses of mappings. However, with split VMAs, these may change, and\\nthere could be more than one VMA associated with a gntdev mapping.\\nHence, remove the use of map-\u003evma and rely on map-\u003epages_vm_start for\\nthe original start address and on (map-\u003ecount \u003c\u003c PAGE_SHIFT) for the\\noriginal mapping size. Let the invalidate() and find_special_page()\\nhooks use these.\\n\\nAlso, given that there can be multiple VMAs associated with a gntdev\\nmapping, move the \\\"mmu_interval_notifier_remove(\u0026map-\u003enotifier)\\\" call to\\nthe end of gntdev_put_map, so that the MMU notifier is only removed\\nafter the closing of the last remaining VMA.\\n\\nFinally, use an atomic to prevent inadvertent gntdev mapping re-use,\\ninstead of using the map-\u003elive_grants atomic counter and/or the map-\u003evma\\npointer (the latter of which is now removed). This prevents the\\nuserspace from mmap()\u0027ing (with MAP_FIXED) a gntdev mapping over the\\nsame address range as a previously set up gntdev mapping. This scenario\\ncan be summarized with the following call-trace, which was valid prior\\nto this commit:\\n\\n  mmap\\n    gntdev_mmap\\n  mmap (repeat mmap with MAP_FIXED over the same address range)\\n    gntdev_invalidate\\n      unmap_grant_pages (sets \u0027being_removed\u0027 entries to true)\\n        gnttab_unmap_refs_async\\n    unmap_single_vma\\n    gntdev_mmap (maps the shared pages again)\\n  munmap\\n    gntdev_invalidate\\n      unmap_grant_pages\\n        (no-op because \u0027being_removed\u0027 entries are true)\\n    unmap_single_vma (For PV domains, Xen reports that a granted page\\n      is being unmapped and triggers a general protection fault in the\\n      affected domain, if Xen was built with CONFIG_DEBUG)\\n\\nThe fix for this last scenario could be worth its own commit, but we\\nopted for a single commit, because removing the gntdev_grant_map\\nstructure\u0027s vma field requires guarding the entry to gntdev_mmap(), and\\nthe live_grants atomic counter is not sufficient on its own to prevent\\nthe mmap() over a pre-existing mapping.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3c6a888e352283a14f37b9b433cd598a1a3a7dd0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4fb4053d90caa9985b87ec0e0c32c66a55bdfa3a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5c13a4a0291b30191eff9ead8d010e1ca43a4d0c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7c16d0a4e6a436b4e7c92bead3fab55aaa4c1141\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cdafa219ace013c594e2491158ad1b51f9923dde\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.