CVE-2022-1158: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability was discovered in the Linux Kernel's KVM (Kernel-based Virtual Machine) implementation, identified as CVE-2022-1158. The flaw was introduced in kernel version 5.2 and affects versions up to 5.18. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. This vulnerability was discovered by Qiuhao Li, Gaoning Pan, and Yongkang Jia (OSS Security).

The vulnerability occurs in the KVM's page table entry update process. When KVM updates a guest's page table entry, it first attempts to pin the page with getuserpagesfast(). If this fails and vma->flags has VMPFNMAP, it calculates the physical address using vmpgoff as the offset to get the page's pfn. This approach only works correctly for memory maps like /dev/mem where vmpgoff is used as the pfn passed to remappfnrange(). The bug has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Since /dev/kvm is accessible by unprivileged local users, this vulnerability allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel. This can result in a denial of service condition or potentially lead to privilege escalation. However, exploitation is limited as the write operation is a compare-and-exchange operation that only updates the Access/Dirty bit (OSS Security).

The vulnerability has been fixed through multiple approaches. For distributions and stable kernels, Paolo Bonzini provided an inline assembly patch that updates the gPTE using a valid userspace address. Additionally, Sean Christopherson and Peter Zijlstra introduced macros for CMPXCHG and replaced cmpxchggpte() with _trycmpxchguser(). The fix was included in Linux kernel version 5.18 (Red Hat Bugzilla).