CVE-2022-49556
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak For some sev ioctl interfaces, the length parameter that is passed maybe less than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP firmware returns. In this case, kmalloc will allocate memory that is the size of the input rather than the size of the data. Since PSP firmware doesn't fully overwrite the allocated buffer, these sev ioctl interface may return uninitialized kernel slab memory.
Security Summary
CVE-2022-49556 is a vulnerability in the Linux kernel's KVM SVM component, specifically affecting certain SEV ioctl interfaces. The issue occurs when the length parameter passed to these interfaces is less than or equal to SEV_FW_BLOB_MAX_SIZE but larger than the data returned by the PSP firmware. In such cases, kmalloc allocates memory sized to the input length, but the firmware does not fully overwrite the buffer, resulting in the leakage of uninitialized kernel slab memory to userspace.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) in an unchanged security scope (S:U). Exploitation enables high confidentiality impact through disclosure of sensitive kernel memory (C:H), with no integrity impact (I:N) but high availability impact (A:H), yielding a CVSS v3.1 base score of 7.1.
Mitigation involves patches that replace kmalloc with kzalloc for the affected SEV ioctl interfaces, ensuring zero-initialization of allocated memory to prevent uninitialized data leaks. These fixes are backported to stable kernel releases via commits such as 401bef1f95de92c3a8c6eece46e02fa88d7285ee, 57a01725339f9d82b099102ba2751621b1caab93, bbdcc644b59e01e98c68894a9fab42b9687f42b0, d22d2474e3953996f03528b84b7f52cc26a39403, and d8fdb4b24097472ff6b3c0559448200d420b1418.
Details
- CWE(s)