CVE-2022-50738

Published: Dic 24, 2025 Last Modified: Dic 29, 2025

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

vhost-vdpa: fix an iotlb memory leak

Before commit 3d5698793897 ('vhost-vdpa: introduce asid based IOTLB')
we called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) during
release to free all the resources allocated when processing user IOTLB
messages through vhost_vdpa_process_iotlb_update().
That commit changed the handling of IOTLB a bit, and we accidentally
removed some code called during the release.

We partially fixed this with commit 037d4305569a ('vhost-vdpa: call
vhost_vdpa_cleanup during the release') but a potential memory leak is
still there as showed by kmemleak if the application does not send
VHOST_IOTLB_INVALIDATE or crashes:

unreferenced object 0xffff888007fbaa30 (size 16):
comm 'blkio-bench', pid 914, jiffies 4294993521 (age 885.500s)
hex dump (first 16 bytes):
40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA.............
backtrace:
[<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0
[<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa]
[<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost]
[<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa]
[<00000000de1cd4a0>] vfs_write+0x216/0x4b0
[<00000000a2850200>] ksys_write+0x71/0xf0
[<00000000de8e720b>] __x64_sys_write+0x19/0x20
[<0000000018b12cbb>] do_syscall_64+0x3f/0x90
[<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Let's fix this calling vhost_vdpa_iotlb_unmap() on the whole range in
vhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup()
since we need a valid v->vdev.mm in vhost_vdpa_pa_unmap().
vhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap()
on the whole range removes all the entries.

The kmemleak log reported was observed with a vDPA device that has `use_va`
set to true (e.g. VDUSE). This patch has been tested with both types of
devices.

AI Generated Translation

Nel kernel Linux, è stata risolta la seguente vulnerabilità:

vhost-vdpa: correggere una perdita di memoria iotlb

Prima del commit 3d5698793897 ("vhost-vdpa: introduce asid based IOTLB")
chiamavamo vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) durante
la release per liberare tutte le risorse allocate durante l'elaborazione dei messaggi IOTLB utente tramite vhost_vdpa_process_iotlb_update().
Quel commit ha modificato leggermente la gestione dell'IOTLB, e abbiamo accidentalmente
rimosso del codice chiamato durante la release.

Abbiamo parzialmente risolto il problema con il commit 037d4305569a ("vhost-vdpa: chiamare
vhost_vdpa_cleanup durante la release") ma una potenziale perdita di memoria persiste,
come mostrato da kmemleak, se l'applicazione non invia VHOST_IOTLB_INVALIDATE o si blocca:

oggetto non referenziato 0xffff888007fbaa30 (dimensione 16):
comm "blkio-bench", pid 914, jiffies 4294993521 (età 885.500s)
dump esadecimale (prime 16 byte):
40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA.............
backtrace:
[<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0
[<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa]
[<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost]
[<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa]
[<00000000de1cd4a0>] vfs_write+0x216/0x4b0
[<00000000a2850200>] ksys_write+0x71/0xf0
[<00000000de8e720b>] __x64_sys_write+0x19/0x20
[<0000000018b12cbb>] do_syscall_64+0x3f/0x90
[<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Per risolvere, chiamiamo vhost_vdpa_iotlb_unmap() sull'intera gamma in
vhost_vdpa_remove_as(). spostiamo questa chiamata prima di vhost_dev_cleanup(),
poiché abbiamo bisogno di un v->vdev.mm valido in vhost_vdpa_pa_unmap().
La chiamata a vhost_iotlb_reset() può essere rimossa, poiché vhost_vdpa_iotlb_unmap()
sull'intera gamma rimuove tutte le voci.

Il log di kmemleak riportato è stato osservato con un dispositivo vDPA che ha `use_va`
impostato a true (ad esempio VDUSE). Questa patch è stata testata con entrambi i tipi di
dispositivi.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0002

Percentile

0,1th

Updated

EPSS Score Trend (Last 81 Days)

https://git.kernel.org/stable/c/4e92cb33bfb51eee5f28bb10846…

https://git.kernel.org/stable/c/4e92cb33bfb51eee5f28bb10846c46f266a4bb67

https://git.kernel.org/stable/c/a2907867e2c86067accd2f011d6…

https://git.kernel.org/stable/c/a2907867e2c86067accd2f011d6f23ee5533aa6c

https://git.kernel.org/stable/c/c070c1912a83432530cbb4271d5…

https://git.kernel.org/stable/c/c070c1912a83432530cbb4271d5b9b11fa36b67a

CVE-2022-50738

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 81 Days)

Iscriviti alla newsletter