Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49400

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
26/02/2025
Last modified:
17/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: Don&amp;#39;t set mddev private to NULL in raid0 pers-&gt;free<br /> <br /> In normal stop process, it does like this:<br /> do_md_stop<br /> |<br /> __md_stop (pers-&gt;free(); mddev-&gt;private=NULL)<br /> |<br /> md_free (free mddev)<br /> __md_stop sets mddev-&gt;private to NULL after pers-&gt;free. The raid device<br /> will be stopped and mddev memory is free. But in reshape, it doesn&amp;#39;t<br /> free the mddev and mddev will still be used in new raid.<br /> <br /> In reshape, it first sets mddev-&gt;private to new_pers and then runs<br /> old_pers-&gt;free(). Now raid0 sets mddev-&gt;private to NULL in raid0_free.<br /> The new raid can&amp;#39;t work anymore. It will panic when dereference<br /> mddev-&gt;private because of NULL pointer dereference.<br /> <br /> It can panic like this:<br /> [63010.814972] kernel BUG at drivers/md/raid10.c:928!<br /> [63010.819778] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> [63010.825011] CPU: 3 PID: 44437 Comm: md0_resync Kdump: loaded Not tainted 5.14.0-86.el9.x86_64 #1<br /> [63010.833789] Hardware name: Dell Inc. PowerEdge R6415/07YXFK, BIOS 1.15.0 09/11/2020<br /> [63010.841440] RIP: 0010:raise_barrier+0x161/0x170 [raid10]<br /> [63010.865508] RSP: 0018:ffffc312408bbc10 EFLAGS: 00010246<br /> [63010.870734] RAX: 0000000000000000 RBX: ffffa00bf7d39800 RCX: 0000000000000000<br /> [63010.877866] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffa00bf7d39800<br /> [63010.884999] RBP: 0000000000000000 R08: fffffa4945e74400 R09: 0000000000000000<br /> [63010.892132] R10: ffffa00eed02f798 R11: 0000000000000000 R12: ffffa00bbc435200<br /> [63010.899266] R13: ffffa00bf7d39800 R14: 0000000000000400 R15: 0000000000000003<br /> [63010.906399] FS: 0000000000000000(0000) GS:ffffa00eed000000(0000) knlGS:0000000000000000<br /> [63010.914485] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [63010.920229] CR2: 00007f5cfbe99828 CR3: 0000000105efe000 CR4: 00000000003506e0<br /> [63010.927363] Call Trace:<br /> [63010.929822] ? bio_reset+0xe/0x40<br /> [63010.933144] ? raid10_alloc_init_r10buf+0x60/0xa0 [raid10]<br /> [63010.938629] raid10_sync_request+0x756/0x1610 [raid10]<br /> [63010.943770] md_do_sync.cold+0x3e4/0x94c<br /> [63010.947698] md_thread+0xab/0x160<br /> [63010.951024] ? md_write_inc+0x50/0x50<br /> [63010.954688] kthread+0x149/0x170<br /> [63010.957923] ? set_kthread_struct+0x40/0x40<br /> [63010.962107] ret_from_fork+0x22/0x30<br /> <br /> Removing the code that sets mddev-&gt;private to NULL in raid0 can fix<br /> problem.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.17 (including) 5.15.46 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16.3 (including) 5.17.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18 (including) 5.18.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools