CVE-2022-1158: Use After Free
First published: Tue Mar 29 2022(Updated: )
A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-425.3.1.rt7.213.el8 | 0:4.18.0-425.3.1.rt7.213.el8 |
| redhat/kernel | <0:4.18.0-425.3.1.el8 | 0:4.18.0-425.3.1.el8 |
| redhat/kernel | <0:4.18.0-193.95.1.el8_2 | 0:4.18.0-193.95.1.el8_2 |
| redhat/kernel-rt | <0:4.18.0-193.95.1.rt13.146.el8_2 | 0:4.18.0-193.95.1.rt13.146.el8_2 |
| redhat/kernel-rt | <0:4.18.0-305.71.1.rt7.143.el8_4 | 0:4.18.0-305.71.1.rt7.143.el8_4 |
| redhat/kernel | <0:4.18.0-305.71.1.el8_4 | 0:4.18.0-305.71.1.el8_4 |
| redhat/kernel | <0:4.18.0-372.36.1.el8_6 | 0:4.18.0-372.36.1.el8_6 |
| redhat/kernel | <0:5.14.0-162.6.1.el9_1 | 0:5.14.0-162.6.1.el9_1 |
| redhat/kernel-rt | <0:5.14.0-162.6.1.rt21.168.el9_1 | 0:5.14.0-162.6.1.rt21.168.el9_1 |
| redhat/kernel | <0:5.14.0-70.36.1.el9_0 | 0:5.14.0-70.36.1.el9_0 |
| redhat/kernel-rt | <0:5.14.0-70.36.1.rt21.108.el9_0 | 0:5.14.0-70.36.1.rt21.108.el9_0 |
| Linux Linux kernel | >=5.2<5.4.189 | |
| Linux Linux kernel | >=5.5<5.10.110 | |
| Linux Linux kernel | >=5.11<5.15.33 | |
| Linux Linux kernel | >=5.16<5.16.19 | |
| Linux Linux kernel | >=5.17<5.17.2 | |
| Fedoraproject Fedora | =36 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| redhat/kernel | <5.18 | 5.18 |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.12.6-1 |
Remedy
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-1158 https://nvd.nist.gov/vuln/detail/CVE-2022-1158 https://www.openwall.com/lists/oss-security/2022/04/08/4
- https://bugzilla.redhat.com/show_bug.cgi?id=2069793
- https://access.redhat.com/errata/RHSA-2022:7444
- https://access.redhat.com/errata/RHSA-2022:7683
- https://access.redhat.com/errata/RHSA-2022:8940
- https://access.redhat.com/errata/RHSA-2022:8941
- https://access.redhat.com/errata/RHSA-2022:8989
- https://access.redhat.com/errata/RHSA-2022:8673
- https://access.redhat.com/errata/RHSA-2022:8685
- https://access.redhat.com/errata/RHSA-2022:8686
- https://access.redhat.com/errata/RHSA-2022:8809
- https://access.redhat.com/errata/RHSA-2022:8831
- https://access.redhat.com/errata/RHSA-2022:8267
- https://access.redhat.com/errata/RHSA-2022:7933
- https://access.redhat.com/errata/RHSA-2022:8973
- https://access.redhat.com/errata/RHSA-2022:8974
- https://access.redhat.com/errata/RHSA-2022:9082
- https://access.redhat.com/security/cve/cve-2022-1158
- https://security.netapp.com/advisory/ntap-20230214-0003/
- https://www.openwall.com/lists/oss-security/2022/04/08/4
- https://launchpad.net/bugs/cve/CVE-2022-1158
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2096819
- https://github.com/torvalds/linux/commit/bd53cb35a3e9adb73a834a36586e9ad80e877767
- https://github.com/torvalds/linux/commit/2a8859f373b0a86f0ece8ec8312607eacf12485d
- https://github.com/torvalds/linux/commit/f122dfe4476890d60b8c679128cd2259ec96a24c
- https://git.kernel.org/linus/2a8859f373b0a86f0ece8ec8312607eacf12485d
- https://security-tracker.debian.org/tracker/CVE-2022-1158
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1158
- https://nvd.nist.gov/vuln/detail/CVE-2022-1158
- https://ubuntu.com/security/CVE-2022-1158
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1158
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- package-manager/redhat
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.2
- version/linux linux kernel/5.5
- version/linux linux kernel/5.11
- version/linux linux kernel/5.16
- version/linux linux kernel/5.17
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/debian