Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50432

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
01/10/2025
Last modified:
20/01/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kernfs: fix use-after-free in __kernfs_remove<br /> <br /> Syzkaller managed to trigger concurrent calls to<br /> kernfs_remove_by_name_ns() for the same file resulting in<br /> a KASAN detected use-after-free. The race occurs when the root<br /> node is freed during kernfs_drain().<br /> <br /> To prevent this acquire an additional reference for the root<br /> of the tree that is removed before calling __kernfs_remove().<br /> <br /> Found by syzkaller with the following reproducer (slab_nomerge is<br /> required):<br /> <br /> syz_mount_image$ext4(0x0, &amp;(0x7f0000000100)=&amp;#39;./file0\x00&amp;#39;, 0x100000, 0x0, 0x0, 0x0, 0x0)<br /> r0 = openat(0xffffffffffffff9c, &amp;(0x7f0000000080)=&amp;#39;/proc/self/exe\x00&amp;#39;, 0x0, 0x0)<br /> close(r0)<br /> pipe2(&amp;(0x7f0000000140)={0xffffffffffffffff, 0xffffffffffffffff}, 0x800)<br /> mount$9p_fd(0x0, &amp;(0x7f0000000040)=&amp;#39;./file0\x00&amp;#39;, &amp;(0x7f00000000c0), 0x408, &amp;(0x7f0000000280)={&amp;#39;trans=fd,&amp;#39;, {&amp;#39;rfdno&amp;#39;, 0x3d, r0}, 0x2c, {&amp;#39;wfdno&amp;#39;, 0x3d, r1}, 0x2c, {[{@cache_loose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={&amp;#39;mask&amp;#39;, 0x3d, &amp;#39;^MAY_EXEC&amp;#39;}}, {@fsmagic={&amp;#39;fsmagic&amp;#39;, 0x3d, 0x10001}}, {@dont_hash}]}})<br /> <br /> Sample report:<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in kernfs_type include/linux/kernfs.h:335 [inline]<br /> BUG: KASAN: use-after-free in kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]<br /> BUG: KASAN: use-after-free in __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369<br /> Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857<br /> <br /> CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x6e/0x91 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:317 [inline]<br /> print_report.cold+0x5e/0x5e5 mm/kasan/report.c:433<br /> kasan_report+0xa3/0x130 mm/kasan/report.c:495<br /> kernfs_type include/linux/kernfs.h:335 [inline]<br /> kernfs_leftmost_descendant fs/kernfs/dir.c:1261 [inline]<br /> __kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369<br /> __kernfs_remove fs/kernfs/dir.c:1356 [inline]<br /> kernfs_remove_by_name_ns+0x108/0x190 fs/kernfs/dir.c:1589<br /> sysfs_slab_add+0x133/0x1e0 mm/slub.c:5943<br /> __kmem_cache_create+0x3e0/0x550 mm/slub.c:4899<br /> create_cache mm/slab_common.c:229 [inline]<br /> kmem_cache_create_usercopy+0x167/0x2a0 mm/slab_common.c:335<br /> p9_client_create+0xd4d/0x1190 net/9p/client.c:993<br /> v9fs_session_init+0x1e6/0x13c0 fs/9p/v9fs.c:408<br /> v9fs_mount+0xb9/0xbd0 fs/9p/vfs_super.c:126<br /> legacy_get_tree+0xf1/0x200 fs/fs_context.c:610<br /> vfs_get_tree+0x85/0x2e0 fs/super.c:1530<br /> do_new_mount fs/namespace.c:3040 [inline]<br /> path_mount+0x675/0x1d00 fs/namespace.c:3370<br /> do_mount fs/namespace.c:3383 [inline]<br /> __do_sys_mount fs/namespace.c:3591 [inline]<br /> __se_sys_mount fs/namespace.c:3568 [inline]<br /> __x64_sys_mount+0x282/0x300 fs/namespace.c:3568<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f725f983aed<br /> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5<br /> RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed<br /> RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000<br /> RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000<br /> R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000<br /> <br /> <br /> Allocated by task 855:<br /> kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38<br /> kasan_set_track mm/kasan/common.c:45 [inline]<br /> set_alloc_info mm/kasan/common.c:437 [inline]<br /> __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:470<br /> kasan_slab_alloc include/linux/kasan.h:224 [inline]<br /> slab_post_alloc_hook mm/slab.h:7<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.14 (including) 4.9.332 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.14.298 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.264 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.223 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.153 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.77 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.0.7 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools