Re: CVE-2022-49689: xen-blkfront: Handle NULL gendisk

From: Juergen Gross
Date: Wed Feb 26 2025 - 02:43:35 EST

Next message: Krzysztof Wilczyński: "Re: [PATCH 0/2] PCI: dwc-debugfs: Couple of fixes"
Previous message: Nikolay Borisov: "[PATCH] KVM: VMX: Remove EPT_VIOLATIONS_ACC_*_BIT defines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 26.02.25 03:24, Greg Kroah-Hartman wrote:

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

xen-blkfront: Handle NULL gendisk

When a VBD is not fully created and then closed, the kernel can have a
NULL pointer dereference:

The reproducer is trivial:

[user@dom0 ~]$ sudo xl block-attach work backend=sys-usb vdev=xvdi target=/dev/sdz
[user@dom0 ~]$ xl block-list work
Vdev BE handle state evt-ch ring-ref BE-path
51712 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51712
51728 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51728
51744 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51744
51760 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51760
51840 3 241 3 -1 -1 /local/domain/3/backend/vbd/241/51840
^ note state, the /dev/sdz doesn't exist in the backend

[user@dom0 ~]$ sudo xl block-detach work xvdi

Please revoke this CVE. As the reproducer recipe is clearly showing, the
bug can be triggered by host admin actions only. There is no way an unprivileged
user on the host or in the guest could trigger the issue.

Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Next message: Krzysztof Wilczyński: "Re: [PATCH 0/2] PCI: dwc-debugfs: Couple of fixes"
Previous message: Nikolay Borisov: "[PATCH] KVM: VMX: Remove EPT_VIOLATIONS_ACC_*_BIT defines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]