Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50335

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/09/2025
Last modified:
04/12/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> 9p: set req refcount to zero to avoid uninitialized usage<br /> <br /> When a new request is allocated, the refcount will be zero if it is<br /> reused, but if the request is newly allocated from slab, it is not fully<br /> initialized before being added to idr.<br /> <br /> If the p9_read_work got a response before the refcount initiated. It will<br /> use a uninitialized req, which will result in a bad request data struct.<br /> <br /> Here is the logs from syzbot.<br /> <br /> Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00<br /> 0x00 0x00 . . . . . . . . ] (in kfence-#110):<br /> p9_fcall_fini net/9p/client.c:248 [inline]<br /> p9_req_put net/9p/client.c:396 [inline]<br /> p9_req_put+0x208/0x250 net/9p/client.c:390<br /> p9_client_walk+0x247/0x540 net/9p/client.c:1165<br /> clone_fid fs/9p/fid.h:21 [inline]<br /> v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118<br /> v9fs_xattr_set fs/9p/xattr.c:100 [inline]<br /> v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159<br /> __vfs_setxattr+0x119/0x180 fs/xattr.c:182<br /> __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216<br /> __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277<br /> vfs_setxattr+0x143/0x340 fs/xattr.c:309<br /> setxattr+0x146/0x160 fs/xattr.c:617<br /> path_setxattr+0x197/0x1c0 fs/xattr.c:636<br /> __do_sys_setxattr fs/xattr.c:652 [inline]<br /> __se_sys_setxattr fs/xattr.c:648 [inline]<br /> __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648<br /> do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]<br /> __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178<br /> do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203<br /> entry_SYSENTER_compat_after_hwframe+0x70/0x82<br /> <br /> Below is a similar scenario, the scenario in the syzbot log looks more<br /> complicated than this one, but this patch can fix it.<br /> <br /> T21124 p9_read_work<br /> ======================== second trans =================================<br /> p9_client_walk<br /> p9_client_rpc<br /> p9_client_prepare_req<br /> p9_tag_alloc<br /> req = kmem_cache_alloc(p9_req_cache, GFP_NOFS);<br /> tag = idr_alloc<br /> <br /> req-&gt;tc.tag = tag;<br /> /* req-&gt;[refcount/tag] == uninitialized */<br /> m-&gt;rreq = p9_tag_lookup(m-&gt;client, m-&gt;rc.tag);<br /> /* increments uninitalized refcount */<br /> <br /> refcount_set(&amp;req-&gt;refcount, 2);<br /> /* cb drops one ref */<br /> p9_client_cb(req)<br /> /* reader thread drops its ref:<br /> request is incorrectly freed */<br /> p9_req_put(req)<br /> /* use after free and ref underflow */<br /> p9_req_put(req)<br /> <br /> To fix it, we can initialize the refcount to zero before add to idr.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.57 (including) 5.15.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.0.16 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1 (including) 6.1.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools