CVE-2022-48853: Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
In the Linux kernel, the following vulnerability has been resolved:
swiotlb: fix info leak with DMA_FROM_DEVICE
The problem I'm addressing was discovered by the LTP test covering
cve-2018-1000204.
A short description of what happens follows:
1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO
interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV
and a corresponding dxferp. The peculiar thing about this is that TUR
is not reading from the device.
2) In sg_start_req() the invocation of blk_rq_map_user() effectively
bounces the user-space buffer. As if the device was to transfer into
it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in
sg_build_indirect()") we make sure this first bounce buffer is
allocated with GFP_ZERO.
3) For the rest of the story we keep ignoring that we have a TUR, so the
device won't touch the buffer we prepare as if the we had a
DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device
and the buffer allocated by SG is mapped by the function
virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here
scatter-gather and not scsi generics). This mapping involves bouncing
via the swiotlb (we need swiotlb to do virtio in protected guest like
s390 Secure Execution, or AMD SEV).
4) When the SCSI TUR is done, we first copy back the content of the second
(that is swiotlb) bounce buffer (which most likely contains some
previous IO data), to the first bounce buffer, which contains all
zeros. Then we copy back the content of the first bounce buffer to
the user-space buffer.
5) The test case detects that the buffer, which it zero-initialized,
ain't all zeros and fails.
One can argue that this is an swiotlb problem, because without swiotlb
we leak all zeros, and the swiotlb should be transparent in a sense that
it does not affect the outcome (if all other participants are well
behaved).
Copying the content of the original buffer into the swiotlb buffer is
the only way I can think of to make swiotlb transparent in such
scenarios. So let's do just that if in doubt, but allow the driver
to tell us that the whole mapped buffer is going to be overwritten,
in which case we can preserve the old behavior and avoid the performance
impact of the extra bounce.
Security readout for executives and security teams
Plain-English summary
CVE-2022-48853 is a Linux kernel information leak involving DMA bounce buffers. In specific storage I/O paths, data left in a SWIOTLB bounce buffer could be copied back to user space instead of zeros. The source describes a kernel fix, but provides no CVSS score or evidence of active exploitation.
Executive priority
Treat this as a targeted kernel information-disclosure risk, not an emergency remote-execution event. Prioritize patching for virtualization hosts and protected guest environments where SWIOTLB is expected, then handle remaining Linux fleets through normal kernel maintenance.
Technical view
The issue affects Linux SWIOTLB handling for DMA_FROM_DEVICE mappings. A SCSI SG_IO TEST UNIT READY request can prepare a receive buffer that the device does not overwrite. With virtio-scsi and SWIOTLB, stale bounce-buffer contents may be copied back to user space. The fix restores copying the original buffer into SWIOTLB when overwrite is uncertain.
Likely exposure
Most relevant exposure is Linux systems using SWIOTLB-dependent I/O paths, especially protected guest virtualization scenarios mentioned in the source such as s390 Secure Execution or AMD SEV with virtio-scsi. The bundle lists multiple affected Linux kernel versions but does not provide distribution-specific package status.
Exploitation context
The bundle describes a local information disclosure pattern discovered by testing, not remote compromise. KEV is false, and no cited source in the bundle reports active exploitation. Successful impact appears dependent on access to the relevant SCSI SG_IO path and a SWIOTLB bounce-buffer configuration.
Researcher notes
Evidence is strongest for a SWIOTLB transparency bug triggered through SCSI SG_IO behavior where the device does not overwrite a DMA_FROM_DEVICE buffer. The public bundle lacks CVSS, CWE, exploit reports, and distro-level fix mapping, so validation should focus on kernel lineage and vendor backports.
Mitigation direction
Apply Linux kernel updates that include the referenced stable SWIOTLB fixes.
Check distribution advisories for CVE-2022-48853 package status.
Prioritize protected guest and virtio-scsi environments using SWIOTLB.
Limit unnecessary untrusted access to SCSI generic interfaces.
Track vendor guidance if fixed package availability is unclear.
Validation and detection
Inventory Linux kernel versions against affected versions in the CVE bundle.
Confirm vendor kernels include CVE-2022-48853 or the SWIOTLB fix commits.
Identify hosts using virtio-scsi, protected virtualization, or SWIOTLB-heavy I/O paths.
Review exposure of SG_IO-capable device interfaces to untrusted users.
Use vendor-supported regression testing where kernel updates are staged.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48853 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.