CVE-2022-26365

一、漏洞信息
漏洞编号：CVE-2022-26365
漏洞归属组件：kernel
漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0
CVSS V3.0分值：
BaseScore：7.1 High
Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
漏洞简述：
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don t zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn t allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
漏洞公开时间：2022-07-05 21:15:00
漏洞创建时间：2022-07-12 09:58:50
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-26365

更多参考(点击展开)

参考来源	参考链接	来源链接
nvd	https://xenbits.xenproject.org/xsa/advisory-403.txt
nvd	http://xenbits.xen.org/xsa/advisory-403.html
nvd	http://www.openwall.com/lists/oss-security/2022/07/05/6
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/
nvd	https://www.debian.org/security/2022/dsa-5191
nvd	https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html
redhat	https://access.redhat.com/security/cve/CVE-2022-26365
redhat_bugzilla	https://xenbits.xen.org/xsa/advisory-403.html	https://bugzilla.redhat.com/show_bug.cgi?id=2104746
redhat_bugzilla	https://www.openwall.com/lists/oss-security/2022/07/05/6	https://bugzilla.redhat.com/show_bug.cgi?id=2104746
redhat_bugzilla	http://www.xenproject.org/security-policy.html	https://bugzilla.redhat.com/show_bug.cgi?id=2104746
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26365	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://xenbits.xen.org/xsa/advisory-403.html	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://xenbits.xenproject.org/xsa/advisory-403.txt	https://ubuntu.com/security/CVE-2022-26365
ubuntu	http://xenbits.xen.org/xsa/advisory-403.html	https://ubuntu.com/security/CVE-2022-26365
ubuntu	http://www.openwall.com/lists/oss-security/2022/07/05/6	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5572-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5579-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5572-2	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5623-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5624-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5633-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5635-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5640-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5644-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5648-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5655-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5668-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5669-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5669-2	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5677-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5678-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5679-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5682-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5683-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5684-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5687-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5695-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5706-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://ubuntu.com/security/notices/USN-5773-1	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-26365	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-26365	https://ubuntu.com/security/CVE-2022-26365
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-26365	https://ubuntu.com/security/CVE-2022-26365
debian		https://security-tracker.debian.org/tracker/CVE-2022-26365
anolis		https://anas.openanolis.cn/cves/detail/CVE-2022-26365
cve_search		https://xenbits.xenproject.org/xsa/advisory-403.txt
cve_search		http://xenbits.xen.org/xsa/advisory-403.html
cve_search		http://www.openwall.com/lists/oss-security/2022/07/05/6
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGFTRZ66KQYTSYIRT5FRHF5D6O72NWOP/
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/
cve_search		https://www.debian.org/security/2022/dsa-5191
mageia		http://advisories.mageia.org/MGASA-2022-0264.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2257.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2264.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2284.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2285.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2286.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2287.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2288.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2289.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2304.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2343.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2344.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2345.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2816.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2817.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-2819.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
amazon_linux	https://alas.aws.amazon.com/cve/html/CVE-2022-3037.html	https://alas.aws.amazon.com/ALAS-2022-1639.html
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/
nvd	https://www.debian.org/security/2022/dsa-5191
nvd	https://lists.debian.org/debian-lts-announce/2022/10/msg00000.html
redhat_bugzilla	https://xenbits.xen.org/xsa/advisory-403.html
redhat_bugzilla	https://www.openwall.com/lists/oss-security/2022/07/05/6
redhat_bugzilla	http://www.xenproject.org/security-policy.html
redhat_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2104746
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26365
ubuntu	https://xenbits.xen.org/xsa/advisory-403.html
ubuntu	https://xenbits.xenproject.org/xsa/advisory-403.txt
ubuntu	http://xenbits.xen.org/xsa/advisory-403.html
ubuntu	http://www.openwall.com/lists/oss-security/2022/07/05/6
ubuntu	https://ubuntu.com/security/notices/USN-5572-1
ubuntu	https://ubuntu.com/security/notices/USN-5579-1
ubuntu	https://ubuntu.com/security/notices/USN-5572-2
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-26365
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-26365
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-26365
debian	https://security-tracker.debian.org/tracker/CVE-2022-26365
anolis	https://anas.openanolis.cn/cves/detail/CVE-2022-26365

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
其它
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
linux_kernel	4.14.287	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=44dc5bcac4b0ec4e876110a69ead25a9b130234b	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	linuxkernelcves
linux_kernel	4.19.251	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f4a1391185e30c977bfe1648435c152f806211c7	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	linuxkernelcves
linux_kernel	4.9.322	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4fbda9d1fc771b44e96ee4cea58f37d926010ffc	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	linuxkernelcves
linux_kernel	5.10.129	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=cfea428030be836d79a7690968232bb7fa4410f1	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	linuxkernelcves
linux_kernel	5.15.53	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	linuxkernelcves
linux_kernel	5.18.10	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=62b5d188a270a25138a88c18409c596c1406b993	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	linuxkernelcves
linux_kernel	5.4.204	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=42112e8f94617d83943f8f3b8de2b66041905506	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=1da177e4c3f41524e886b7f1b8a0c1fc7321cac2	linuxkernelcves

二、漏洞分析结构反馈
影响性分析说明：
不受信任的后端可以访问不打算共享的数据。如果此类映射是使用写入权限进行的，则后端还可能导致共享页面中连续数据的使用者出现故障和/或崩溃。
openEuler评分：
3.3
Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP1(4.19.90):受影响
2.openEuler-20.03-LTS-SP3(4.19.90):受影响
3.openEuler-22.03-LTS:受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP3(4.19.90):否
3.openEuler-22.03-LTS:否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2022-1774

Hi ryuo, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers: @Xie XiuQi , @YangYingliang , @成坚 (CHENG Jian) , @pi3orama , @jiaoff

@Xie XiuQi ,@YangYingliang ,@成坚 (CHENG Jian) ,@pi3orama ,@jiaoff
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1(4.19.90):
2.openEuler-20.03-LTS-SP3(4.19.194):
3.openEuler-22.03-LTS(5.10.0):

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):
2.openEuler-20.03-LTS-SP3(4.19.194):
3.openEuler-22.03-LTS(5.10.0):

issue处理具体操作请参考:
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://ubuntu.com/security/CVE-2022-26365
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-26365
https://nvd.nist.gov/vuln/detail/CVE-2022-26365
https://security-tracker.debian.org/tracker/CVE-2022-26365
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-26365

说明：抱歉，当前工具暂未找到推荐补丁，请人工查找或者之后评论'/find-patch'尝试再次查找。
若人工查找到补丁，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

@wangxiaoya CVE信息从NVD同步成功, 稍后请重新加载页面.

CVE-2022-26365 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742 主要是修复xen申请内存时没有初始化为0的问题

// granted_page 数据泄露的流程，如果 backend 传入偏移为0，长度为 4096，将可以读到整个page的内容
blkif_completion
  gnttab_foreach_grant_in_range
    blkif_copy_from_grant // fn(pfn_to_gfn(xen_pfn), goffset, glen, data);
      shared_data = kmap_atomic(s->grants_used[info->grant_idx]->page) // 映射 grants_used 数组中的 page
      memcpy(..., shared_data + offset, ...) // 如果不把 granted_page 内容初始化为0， 会泄露数据
  list_add_tail(&s->grants_used[i]->node, &rinfo->grants) // 添加到 grants 链表中
  list_add_tail(&s->indirect_grants[i]->node, &rinfo->grants) // 添加到 grants 链表中

// granted_page 和 indirect_page 分配的过程
blkfront_setup_indirect
  fill_grant_buffer
    if (info->bounce)
    granted_page = alloc_page(GFP_NOIO | __GFP_ZERO) // 申请的内存初始化为0
    gnt_list_entry->page = granted_page
    list_add(&gnt_list_entry->node, &rinfo->grants) // 添加到 rinfo->grants 链表
  if (!info->bounce
  struct page *indirect_page = alloc_page(GFP_KERNEL | __GFP_ZERO) // 申请的内存初始化为0

// grants_used 数组的处理过程
blkif_setup_rw_req_grant
  get_indirect_grant
    indirect_page = list_first_entry // 从链表中获取 indirect page
  shadow->indirect_grants[n] = gnt_list_entry // 放到 indirect_grants 数组中
  get_grant
    get_free_grant
      gnt_list_entry = list_first_entry // 从链表中获取 grant page
  shadow->grants_used[setup->grant_idx] = gnt_list_entry // 放到 grants_used 数组中

// 申请接收buffer的过程
xennet_alloc_rx_buffers
  xennet_alloc_one_rx_buffer
    page = page_pool_alloc_pages(queue->page_pool, GFP_ATOMIC | __GFP_NOWARN | __GFP_ZERO) // 申请的内存初始化为0
    skb_add_rx_frag
      skb_fill_page_desc
        __skb_fill_page_desc
          frag->bv_page             = page
    page = skb_frag_page(&skb_shinfo(skb)->frags[0]);
    gnttab_page_grant_foreign_access_ref_one(..., page, ...)
  queue->rx_skbs[id] = skb; // 添加到 rx_skbs 数组中

// 使用 rx_skbs 数组中的 page
xennet_poll
  xennet_get_responses
    xennet_get_rx_skb
    xennet_run_xdp(skb_frag_page(&skb_shinfo(skb)->frags[0)) // 如果 page 申请内存时内容没初始化为0， 会导致数据泄露

// 如果 backend 传入偏移为0，长度为 整个page的大小，将可以读到整个page的内容
xennet_start_xmit
  if (np->bounce
  // 修复前 使用 skb_copy->__alloc_skb, 不会将内容初始化为0
  bounce_skb
    struct sk_buff *n = alloc_skb(size, GFP_ATOMIC | __GFP_ZERO) // 申请的内存初始化为0
  page = virt_to_page(skb->data)
  xennet_make_txreqs(&info, page, offset, len)

openEuler-1.0-LTS 前置补丁：

# 不申请连续内存
5f547e7cbd84 xen/blkfront: fix memory allocation flags in blkfront_setup_indirect()
# 解决死锁问题，wait_event 替换成 wait_event_timeout，超时再次尝试
c2c633106453 xen-netfront: fix potential deadlock in xennet_remove()

@陈孝松 1.影响性分析说明=> 没有填写或按正确格式填写

影响性分析说明：
不受信任的后端可以访问不打算共享的数据。如果此类映射是使用写入权限进行的，则后端还可能导致共享页面中连续数据的使用者出现故障和/或崩溃。

openEuler评分：
3.3
Vector：CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP1(4.19.90):受影响
2.openEuler-20.03-LTS-SP3(4.19.194):受影响
3.openEuler-22.03-LTS(5.10.0):受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP3(4.19.194):否
3.openEuler-22.03-LTS(5.10.0):否

@Xie XiuQi 经过 cve-manager 解析, 已分析的内容如下表所示:

状态	需分析	内容
已分析	1.影响性分析说明	不受信任的后端可以访问不打算共享的数据。如果此类映射是使用写入权限进行的，则后端还可能导致共享页面中连续数据的使用者出现故障和/或崩溃。
已分析	2.openEulerScore	3.3
已分析	2.openEulerVector	AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
已分析	3.受影响版本排查	openEuler-20.03-LTS-SP1:受影响,openEuler-20.03-LTS-SP3:受影响,openEuler-22.03-LTS:受影响
已分析	4.修复是否涉及abi变化	openEuler-20.03-LTS-SP1:否,openEuler-20.03-LTS-SP3:否,openEuler-22.03-LTS:否

请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.

@成坚 (CHENG Jian) ,@Xie XiuQi ,@YangYingliang ,@pi3orama ,@jiaoff ,@zhengzengkai
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I5GLXT:CVE-2022-26365
受影响分支: openEuler-20.03-LTS-SP1/openEuler-20.03-LTS-SP3/openEuler-22.03-LTS
具体操作参考: https://gitee.com/help/articles/4142

@liujingang09 ,@yanxiaobing2020 ,@zhujianwei001 ,@gwei3 ,@mdche 经过 cve-manager 解析 openEuler评分已改变需要您及时进行审核,以便maintainer进行后续操作.

/approve

@Xie XiuQi you submit issue score audit success(approved by gwei3),You can proceed to the next step!

/approve

@gwei3 你已审核模板内容,cve-manager 将关闭issue!

src-openEuler / kernel

内容风险标识

评论 (17)

src-openEuler / kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2022-26365

评论 (17)

搜索帮助

src-openEuler / kernel