{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49219", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.292Z", "datePublished": "2025-02-26T01:55:52.131Z", "dateUpdated": "2025-02-26T01:55:52.131Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-26T01:55:52.131Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix memory leak during D3hot to D0 transition\n\nIf 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does\nnot have No_Soft_Reset bit set in its PMCSR config register), then\nthe current PCI state will be saved locally in\n'vfio_pci_core_device::pm_save' during D0->D3hot transition and same\nwill be restored back during D3hot->D0 transition.\nFor saving the PCI state locally, pci_store_saved_state() is being\nused and the pci_load_and_free_saved_state() will free the allocated\nmemory.\n\nBut for reset related IOCTLs, vfio driver calls PCI reset-related\nAPI's which will internally change the PCI power state back to D0. So,\nwhen the guest resumes, then it will get the current state as D0 and it\nwill skip the call to vfio_pci_set_power_state() for changing the\npower state to D0 explicitly. In this case, the memory pointed by\n'pm_save' will never be freed. In a malicious sequence, the state changing\nto D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be\nrun in a loop and it can cause an OOM situation.\n\nThis patch frees the earlier allocated memory first before overwriting\n'pm_save' to prevent the mentioned memory leak."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/pci/vfio_pci_core.c"], "versions": [{"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2", "lessThan": "4319f17fb8264ba39352b611dfa913a4d8c1d1a0", "status": "affected", "versionType": "git"}, {"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2", "lessThan": "26ddd196e9eb264da8e1bdc4df8a94d62581c8b5", "status": "affected", "versionType": "git"}, {"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2", "lessThan": "c8a1f8bd586ee31020614b8d48b702ece3e2ae44", "status": "affected", "versionType": "git"}, {"version": "51ef3a004b1eb6241e56b3aa8495769a092a4dc2", "lessThan": "eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/vfio/pci/vfio_pci_core.c"], "versions": [{"version": "5.1", "status": "affected"}, {"version": "0", "lessThan": "5.1", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.33", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.19", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.2", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/4319f17fb8264ba39352b611dfa913a4d8c1d1a0"}, {"url": "https://git.kernel.org/stable/c/26ddd196e9eb264da8e1bdc4df8a94d62581c8b5"}, {"url": "https://git.kernel.org/stable/c/c8a1f8bd586ee31020614b8d48b702ece3e2ae44"}, {"url": "https://git.kernel.org/stable/c/eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991"}], "title": "vfio/pci: fix memory leak during D3hot to D0 transition", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5B0B00D-6DCA-4714-B384-1EB7C214ABBE", "versionEndExcluding": "5.15.33", "versionStartIncluding": "5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: fix memory leak during D3hot to D0 transition\n\nIf 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does\nnot have No_Soft_Reset bit set in its PMCSR config register), then\nthe current PCI state will be saved locally in\n'vfio_pci_core_device::pm_save' during D0->D3hot transition and same\nwill be restored back during D3hot->D0 transition.\nFor saving the PCI state locally, pci_store_saved_state() is being\nused and the pci_load_and_free_saved_state() will free the allocated\nmemory.\n\nBut for reset related IOCTLs, vfio driver calls PCI reset-related\nAPI's which will internally change the PCI power state back to D0. So,\nwhen the guest resumes, then it will get the current state as D0 and it\nwill skip the call to vfio_pci_set_power_state() for changing the\npower state to D0 explicitly. In this case, the memory pointed by\n'pm_save' will never be freed. In a malicious sequence, the state changing\nto D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be\nrun in a loop and it can cause an OOM situation.\n\nThis patch frees the earlier allocated memory first before overwriting\n'pm_save' to prevent the mentioned memory leak."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfio/pci: se corrige la p\u00e9rdida de memoria durante la transici\u00f3n de D3hot a D0 Si se establece 'vfio_pci_core_device::needs_pm_restore' (el dispositivo PCI no tiene el bit No_Soft_Reset establecido en su registro de configuraci\u00f3n PMCSR), entonces el estado PCI actual se guardar\u00e1 localmente en 'vfio_pci_core_device::pm_save' durante la transici\u00f3n de D0 a D3hot y el mismo se restaurar\u00e1 durante la transici\u00f3n de D3hot a D0. Para guardar el estado PCI localmente, se utiliza pci_store_saved_state() y pci_load_and_free_saved_state() liberar\u00e1 la memoria asignada. Pero para los IOCTL relacionados con el reinicio, el controlador vfio llama a las API relacionadas con el reinicio de PCI que cambiar\u00e1n internamente el estado de energ\u00eda de PCI a D0. Por lo tanto, cuando el invitado se reanude, obtendr\u00e1 el estado actual como D0 y omitir\u00e1 la llamada a vfio_pci_set_power_state() para cambiar el estado de energ\u00eda a D0 expl\u00edcitamente. En este caso, la memoria apuntada por 'pm_save' nunca se liberar\u00e1. En una secuencia maliciosa, el cambio de estado a D3hot seguido de VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET se puede ejecutar en un bucle y puede causar una situaci\u00f3n de OOM. Este parche libera primero la memoria asignada anteriormente antes de sobrescribir 'pm_save' para evitar la p\u00e9rdida de memoria mencionada."}], "id": "CVE-2022-49219", "lastModified": "2025-03-18T19:33:24.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:00:58.977", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/26ddd196e9eb264da8e1bdc4df8a94d62581c8b5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4319f17fb8264ba39352b611dfa913a4d8c1d1a0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c8a1f8bd586ee31020614b8d48b702ece3e2ae44"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: vfio/pci: fix memory leak during D3hot to D0 transition", "id": "2348104", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348104"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-401", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvfio/pci: fix memory leak during D3hot to D0 transition\nIf 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does\nnot have No_Soft_Reset bit set in its PMCSR config register), then\nthe current PCI state will be saved locally in\n'vfio_pci_core_device::pm_save' during D0->D3hot transition and same\nwill be restored back during D3hot->D0 transition.\nFor saving the PCI state locally, pci_store_saved_state() is being\nused and the pci_load_and_free_saved_state() will free the allocated\nmemory.\nBut for reset related IOCTLs, vfio driver calls PCI reset-related\nAPI's which will internally change the PCI power state back to D0. So,\nwhen the guest resumes, then it will get the current state as D0 and it\nwill skip the call to vfio_pci_set_power_state() for changing the\npower state to D0 explicitly. In this case, the memory pointed by\n'pm_save' will never be freed. In a malicious sequence, the state changing\nto D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be\nrun in a loop and it can cause an OOM situation.\nThis patch frees the earlier allocated memory first before overwriting\n'pm_save' to prevent the mentioned memory leak."], "name": "CVE-2022-49219", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49219\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49219\nhttps://lore.kernel.org/linux-cve-announce/2025022621-CVE-2022-49219-3b9b@gregkh/T"], "threat_severity": "Moderate"}