CVE-2022-2308 - OpenCVE

A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2103900
https://lore.kernel.org/lkml/20220831154923.97809-1-maxime.coquelin@redhat.com/T/
https://nvd.nist.gov/vuln/detail/CVE-2022-2308
https://www.cve.org/CVERecord?id=CVE-2022-2308

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-09-01T20:01:28

Updated: 2024-08-03T00:32:09.598Z

Reserved: 2022-07-05T00:00:00

Link: CVE-2022-2308

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-01T21:15:09.340

Modified: 2022-09-13T19:47:46.690

Link: CVE-2022-2308

Redhat

Severity : Moderate

Publid Date: 2022-08-19T00:00:00Z

Links: CVE-2022-2308 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Linux kernel", "vendor": "n/a", "versions": [{"status": "affected", "version": "uknown"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-457", "description": "CWE-457", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-01T20:01:28", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2022-2308", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Linux kernel", "version": {"version_data": [{"version_value": "uknown"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-457"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:09.598Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2022-2308", "datePublished": "2022-09-01T20:01:28", "dateReserved": "2022-07-05T00:00:00", "dateUpdated": "2024-08-03T00:32:09.598Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers."}, {"lang": "es", "value": "Se ha encontrado un fallo en vDPA con el backend VDUSE. Actualmente no se presentan comprobaciones en el controlador del kernel de VDUSE para asegurar que el tama\u00f1o del espacio de configuraci\u00f3n del dispositivo est\u00e1 en l\u00ednea con las caracter\u00edsticas anunciadas por la aplicaci\u00f3n de espacio de usuario de VDUSE. En caso de desajuste, los ayudantes de lectura de configuraci\u00f3n de los controladores de Virtio no inicializan la memoria pasada indirectamente a vduse_vdpa_get_config() devolviendo memoria no inicializada de la pila. Esto podr\u00eda causar un comportamiento indefinido o filtrado de datos en los controladores de Virtio"}], "id": "CVE-2022-2308", "lastModified": "2022-09-13T19:47:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-01T21:15:09.340", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-457"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Maxime Coquelin (Red Hat).", "bugzilla": {"description": "kernel: use of uninitialized memory could lead to data leak in Virtio drivers with VDUSE", "id": "2103900", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2103900"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-457->CWE-200", "details": ["A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. This could cause undefined behavior or data leaks in Virtio drivers.", "A flaw was found in the Linux kernel in vDPA with VDUSE backend. There were no checks in VDUSE kernel driver to ensure the size of the device config space was in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers did not initialize the memory indirectly passed to vduse_vdpa_get_config() returning uninitialized memory from the stack. Such memory was not directly propagated to userspace, although under some circumstances it could be printed in the kernel logs."], "name": "CVE-2022-2308", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2308\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2308\nhttps://lore.kernel.org/lkml/20220831154923.97809-1-maxime.coquelin@redhat.com/T/"], "statement": "Red Hat Enterprise Linux is not affected by this flaw as vDPA Device in Userspace (VDUSE) is not supported in any current shipping kernels.", "threat_severity": "Moderate", "upstream_fix": "kernel 6.0-rc5"}