Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49297

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
21/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: fix io hung while disconnecting device<br /> <br /> In our tests, "qemu-nbd" triggers a io hung:<br /> <br /> INFO: task qemu-nbd:11445 blocked for more than 368 seconds.<br /> Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884<br /> "echo 0 &gt; /proc/sys/kernel/hung_task_timeout_secs" disables this message.<br /> task:qemu-nbd state:D stack: 0 pid:11445 ppid: 1 flags:0x00000000<br /> Call Trace:<br /> <br /> __schedule+0x480/0x1050<br /> ? _raw_spin_lock_irqsave+0x3e/0xb0<br /> schedule+0x9c/0x1b0<br /> blk_mq_freeze_queue_wait+0x9d/0xf0<br /> ? ipi_rseq+0x70/0x70<br /> blk_mq_freeze_queue+0x2b/0x40<br /> nbd_add_socket+0x6b/0x270 [nbd]<br /> nbd_ioctl+0x383/0x510 [nbd]<br /> blkdev_ioctl+0x18e/0x3e0<br /> __x64_sys_ioctl+0xac/0x120<br /> do_syscall_64+0x35/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7fd8ff706577<br /> RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577<br /> RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f<br /> RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0<br /> R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d<br /> R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0<br /> <br /> "qemu-ndb -d" will call ioctl &amp;#39;NBD_DISCONNECT&amp;#39; first, however, following<br /> message was found:<br /> <br /> block nbd0: Send disconnect failed -32<br /> <br /> Which indicate that something is wrong with the server. Then,<br /> "qemu-nbd -d" will call ioctl &amp;#39;NBD_CLEAR_SOCK&amp;#39;, however ioctl can&amp;#39;t clear<br /> requests after commit 2516ab1543fd("nbd: only clear the queue on device<br /> teardown"). And in the meantime, request can&amp;#39;t complete through timeout<br /> because nbd_xmit_timeout() will always return &amp;#39;BLK_EH_RESET_TIMER&amp;#39;, which<br /> means such request will never be completed in this situation.<br /> <br /> Now that the flag &amp;#39;NBD_CMD_INFLIGHT&amp;#39; can make sure requests won&amp;#39;t<br /> complete multiple times, switch back to call nbd_clear_sock() in<br /> nbd_clear_sock_ioctl(), so that inflight requests can be cleared.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.14.283 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.247 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.198 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.122 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.47 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.17.15 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18 (including) 5.18.4 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools