阿里云漏洞库

漏洞描述

In the Linux kernel, the following vulnerability has been resolved:

swiotlb: fix info leak with DMA_FROM_DEVICE

The problem I'm addressing was discovered by the LTP test covering

cve-2018-1000204.

A short description of what happens follows:

1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO

interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV

and a corresponding dxferp. The peculiar thing about this is that TUR

is not reading from the device.

2) In sg_start_req() the invocation of blk_rq_map_user() effectively

bounces the user-space buffer. As if the device was to transfer into

it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in

sg_build_indirect()") we make sure this first bounce buffer is

allocated with GFP_ZERO.

3) For the rest of the story we keep ignoring that we have a TUR, so the

device won't touch the buffer we prepare as if the we had a

DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device

and the buffer allocated by SG is mapped by the function

virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here

scatter-gather and not scsi generics). This mapping involves bouncing

via the swiotlb (we need swiotlb to do virtio in protected guest like

s390 Secure Execution, or AMD SEV).

4) When the SCSI TUR is done, we first copy back the content of the second

(that is swiotlb) bounce buffer (which most likely contains some

previous IO data), to the first bounce buffer, which contains all

zeros. Then we copy back the content of the first bounce buffer to

the user-space buffer.

5) The test case detects that the buffer, which it zero-initialized,

ain't all zeros and fails.

One can argue that this is an swiotlb problem, because without swiotlb

we leak all zeros, and the swiotlb should be transparent in a sense that

it does not affect the outcome (if all other participants are well

behaved).

Copying the content of the original buffer into the swiotlb buffer is

the only way I can think of to make swiotlb transparent in such

scenarios. So let's do just that if in doubt, but allow the driver

to tell us that the whole mapped buffer is going to be overwritten,

in which case we can preserve the old behavior and avoid the performance

impact of the extra bounce.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://access.redhat.com/security/cve/CVE-2022-48853
https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e
https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026
https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63
https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192
https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534
https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753
https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f
https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e
https://lore.kernel.org/linux-cve-announce/2024071626-CVE-2022-48853-c6d8@gregkh/T

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	debian_11	linux	*		Up to (excluding) 5.10.113-1
	运行在以下环境
	系统	debian_12	linux	*		Up to (excluding) 5.16.18-1
	运行在以下环境
	系统	linux	linux_kernel	*		Up to (excluding) 4.9.320
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.10	Up to (excluding) 4.14.281
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.15	Up to (excluding) 4.19.245
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 4.20	Up to (excluding) 5.4.189
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.11	Up to (excluding) 5.15.29
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.16	Up to (excluding) 5.16.15
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.5	Up to (excluding) 5.10.110

攻击路径

本地
攻击复杂度

困难
权限要求

管控权限
影响范围

有限影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
NVD-CWE-noinfo

中危 CVE-2022-48853

漏洞描述

解决建议

参考链接

受影响软件情况