Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49901

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2025
Last modified:
07/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: Fix kmemleak in blk_mq_init_allocated_queue<br /> <br /> There is a kmemleak caused by modprobe null_blk.ko<br /> <br /> unreferenced object 0xffff8881acb1f000 (size 1024):<br /> comm "modprobe", pid 836, jiffies 4294971190 (age 27.068s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........<br /> ff ff ff ff ff ff ff ff 00 53 99 9e ff ff ff ff .........S......<br /> backtrace:<br /> [] kmalloc_node_trace+0x22/0x60<br /> [] blk_mq_alloc_and_init_hctx+0x289/0x350<br /> [] blk_mq_realloc_hw_ctxs+0x2fe/0x3d0<br /> [] blk_mq_init_allocated_queue+0x48c/0x1440<br /> [] __blk_mq_alloc_disk+0xc8/0x1c0<br /> [] 0xffffffffc450d69d<br /> [] 0xffffffffc4538392<br /> [] do_one_initcall+0xd0/0x4f0<br /> [] do_init_module+0x1a4/0x680<br /> [] load_module+0x6249/0x7110<br /> [] __do_sys_finit_module+0x140/0x200<br /> [] do_syscall_64+0x35/0x80<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> That is because q-&gt;ma_ops is set to NULL before blk_release_queue is<br /> called.<br /> <br /> blk_mq_init_queue_data<br /> blk_mq_init_allocated_queue<br /> blk_mq_realloc_hw_ctxs<br /> for (i = 0; i nr_hw_queues; i++) {<br /> old_hctx = xa_load(&amp;q-&gt;hctx_table, i);<br /> if (!blk_mq_alloc_and_init_hctx(.., i, ..)) [1]<br /> if (!old_hctx)<br /> break;<br /> <br /> xa_for_each_start(&amp;q-&gt;hctx_table, j, hctx, j)<br /> blk_mq_exit_hctx(q, set, hctx, j); [2]<br /> <br /> if (!q-&gt;nr_hw_queues) [3]<br /> goto err_hctxs;<br /> <br /> err_exit:<br /> q-&gt;mq_ops = NULL; [4]<br /> <br /> blk_put_queue<br /> blk_release_queue<br /> if (queue_is_mq(q)) [5]<br /> blk_mq_release(q);<br /> <br /> [1]: blk_mq_alloc_and_init_hctx failed at i != 0.<br /> [2]: The hctxs allocated by [1] are moved to q-&gt;unused_hctx_list and<br /> will be cleaned up in blk_mq_release.<br /> [3]: q-&gt;nr_hw_queues is 0.<br /> [4]: Set q-&gt;mq_ops to NULL.<br /> [5]: queue_is_mq returns false due to [4]. And blk_mq_release<br /> will not be called. The hctxs in q-&gt;unused_hctx_list are leaked.<br /> <br /> To fix it, call blk_release_queue in exception path.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.2 (including) 6.0.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools