Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49179

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
26/02/2025
Last modified:
25/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block, bfq: don&amp;#39;t move oom_bfqq<br /> <br /> Our test report a UAF:<br /> <br /> [ 2073.019181] ==================================================================<br /> [ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168<br /> [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584<br /> [ 2073.019192]<br /> [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5<br /> [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015<br /> [ 2073.019200] Call trace:<br /> [ 2073.019203] dump_backtrace+0x0/0x310<br /> [ 2073.019206] show_stack+0x28/0x38<br /> [ 2073.019210] dump_stack+0xec/0x15c<br /> [ 2073.019216] print_address_description+0x68/0x2d0<br /> [ 2073.019220] kasan_report+0x238/0x2f0<br /> [ 2073.019224] __asan_store8+0x88/0xb0<br /> [ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168<br /> [ 2073.019233] bfq_put_async_queues+0xbc/0x208<br /> [ 2073.019236] bfq_pd_offline+0x178/0x238<br /> [ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420<br /> [ 2073.019244] bfq_exit_queue+0x128/0x178<br /> [ 2073.019249] blk_mq_exit_sched+0x12c/0x160<br /> [ 2073.019252] elevator_exit+0xc8/0xd0<br /> [ 2073.019256] blk_exit_queue+0x50/0x88<br /> [ 2073.019259] blk_cleanup_queue+0x228/0x3d8<br /> [ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk]<br /> [ 2073.019274] null_exit+0x90/0x114 [null_blk]<br /> [ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0<br /> [ 2073.019282] el0_svc_common+0xc8/0x320<br /> [ 2073.019287] el0_svc_handler+0xf8/0x160<br /> [ 2073.019290] el0_svc+0x10/0x218<br /> [ 2073.019291]<br /> [ 2073.019294] Allocated by task 14163:<br /> [ 2073.019301] kasan_kmalloc+0xe0/0x190<br /> [ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418<br /> [ 2073.019308] bfq_pd_alloc+0x54/0x118<br /> [ 2073.019313] blkcg_activate_policy+0x250/0x460<br /> [ 2073.019317] bfq_create_group_hierarchy+0x38/0x110<br /> [ 2073.019321] bfq_init_queue+0x6d0/0x948<br /> [ 2073.019325] blk_mq_init_sched+0x1d8/0x390<br /> [ 2073.019330] elevator_switch_mq+0x88/0x170<br /> [ 2073.019334] elevator_switch+0x140/0x270<br /> [ 2073.019338] elv_iosched_store+0x1a4/0x2a0<br /> [ 2073.019342] queue_attr_store+0x90/0xe0<br /> [ 2073.019348] sysfs_kf_write+0xa8/0xe8<br /> [ 2073.019351] kernfs_fop_write+0x1f8/0x378<br /> [ 2073.019359] __vfs_write+0xe0/0x360<br /> [ 2073.019363] vfs_write+0xf0/0x270<br /> [ 2073.019367] ksys_write+0xdc/0x1b8<br /> [ 2073.019371] __arm64_sys_write+0x50/0x60<br /> [ 2073.019375] el0_svc_common+0xc8/0x320<br /> [ 2073.019380] el0_svc_handler+0xf8/0x160<br /> [ 2073.019383] el0_svc+0x10/0x218<br /> [ 2073.019385]<br /> [ 2073.019387] Freed by task 72584:<br /> [ 2073.019391] __kasan_slab_free+0x120/0x228<br /> [ 2073.019394] kasan_slab_free+0x10/0x18<br /> [ 2073.019397] kfree+0x94/0x368<br /> [ 2073.019400] bfqg_put+0x64/0xb0<br /> [ 2073.019404] bfqg_and_blkg_put+0x90/0xb0<br /> [ 2073.019408] bfq_put_queue+0x220/0x228<br /> [ 2073.019413] __bfq_put_async_bfqq+0x98/0x168<br /> [ 2073.019416] bfq_put_async_queues+0xbc/0x208<br /> [ 2073.019420] bfq_pd_offline+0x178/0x238<br /> [ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420<br /> [ 2073.019429] bfq_exit_queue+0x128/0x178<br /> [ 2073.019433] blk_mq_exit_sched+0x12c/0x160<br /> [ 2073.019437] elevator_exit+0xc8/0xd0<br /> [ 2073.019440] blk_exit_queue+0x50/0x88<br /> [ 2073.019443] blk_cleanup_queue+0x228/0x3d8<br /> [ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk]<br /> [ 2073.019459] null_exit+0x90/0x114 [null_blk]<br /> [ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0<br /> [ 2073.019467] el0_svc_common+0xc8/0x320<br /> [ 2073.019471] el0_svc_handler+0xf8/0x160<br /> [ 2073.019474] el0_svc+0x10/0x218<br /> [ 2073.019475]<br /> [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00<br /> which belongs to the cache kmalloc-1024 of size 1024<br /> [ 2073.019484] The buggy address is located 552 bytes inside of<br /> 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300)<br /> [ 2073.019486] The buggy address belongs to the page:<br /> [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0<br /> [ 2073.020123] flags: 0x7ffff0000008100(slab|head)<br /> [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00<br /> [ 2073.020409] ra<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.189 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.110 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.33 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 5.17.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools