CVE-2022-50575

Vulnerability

Description In the Linux kernel's Xen privcmd driver, the privcmd_ioctl_mmap_resource() function uses a user-supplied value kdata.num to allocate memory via kcalloc(). If this value is equal to or greater than MAX_ORDER, the allocation fails and triggers a kernel warning (WARN_ON), which prints a stack trace and fills the system log (dmesg). This behavior was discovered through static analysis with smatch. The root cause is the lack of a __GFP_NOWARN flag to suppress the warning for failure due to excessively large allocation requests.

Exploitation

The vulnerability can be exploited by any local user who can issue ioctl calls to the /dev/xen/privcmd device. Typically, this requires privileges such as root or membership in the xen group. By crafting an ioctl with a large num value, the attacker forces kcalloc to fail and triggers the warning. No special network access or authentication beyond local system access is needed.

Impact

The primary impact is a local denial-of-service condition. Repeated triggering of the warning can fill the kernel log, degrade system performance, and potentially cause system instability. There is no evidence of memory corruption or privilege escalation; the bug is a warning-only issue.

Mitigation

The fix was applied in multiple Linux kernel stable branches, adding the __GFP_NOWARN flag to the kcalloc call to suppress the warning when the allocation fails due to size. The specific commits are referenced in [1], [2], [3]. Users should update their kernel to include these patches.