CVE-2022-50563
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/10/2025
Last modified:
22/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
dm thin: Fix UAF in run_timer_softirq()<br />
<br />
When dm_resume() and dm_destroy() are concurrent, it will<br />
lead to UAF, as follows:<br />
<br />
BUG: KASAN: use-after-free in __run_timers+0x173/0x710<br />
Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0<br />
<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x73/0x9f<br />
print_report.cold+0x132/0xaa2<br />
_raw_spin_lock_irqsave+0xcd/0x160<br />
__run_timers+0x173/0x710<br />
kasan_report+0xad/0x110<br />
__run_timers+0x173/0x710<br />
__asan_store8+0x9c/0x140<br />
__run_timers+0x173/0x710<br />
call_timer_fn+0x310/0x310<br />
pvclock_clocksource_read+0xfa/0x250<br />
kvm_clock_read+0x2c/0x70<br />
kvm_clock_get_cycles+0xd/0x20<br />
ktime_get+0x5c/0x110<br />
lapic_next_event+0x38/0x50<br />
clockevents_program_event+0xf1/0x1e0<br />
run_timer_softirq+0x49/0x90<br />
__do_softirq+0x16e/0x62c<br />
__irq_exit_rcu+0x1fa/0x270<br />
irq_exit_rcu+0x12/0x20<br />
sysvec_apic_timer_interrupt+0x8e/0xc0<br />
<br />
One of the concurrency UAF can be shown as below:<br />
<br />
use free<br />
do_resume |<br />
__find_device_hash_cell |<br />
dm_get |<br />
atomic_inc(&md->holders) |<br />
| dm_destroy<br />
| __dm_destroy<br />
| if (!dm_suspended_md(md))<br />
| atomic_read(&md->holders)<br />
| msleep(1)<br />
dm_resume |<br />
__dm_resume |<br />
dm_table_resume_targets |<br />
pool_resume |<br />
do_waker #add delay work |<br />
dm_put |<br />
atomic_dec(&md->holders) |<br />
| dm_table_destroy<br />
| pool_dtr<br />
| __pool_dec<br />
| __pool_destroy<br />
| destroy_workqueue<br />
| kfree(pool) # free pool<br />
time out<br />
__do_softirq<br />
run_timer_softirq # pool has already been freed<br />
<br />
This can be easily reproduced using:<br />
1. create thin-pool<br />
2. dmsetup suspend pool<br />
3. dmsetup resume pool<br />
4. dmsetup remove_all # Concurrent with 3<br />
<br />
The root cause of this UAF bug is that dm_resume() adds timer after<br />
dm_destroy() skips cancelling the timer because of suspend status.<br />
After timeout, it will call run_timer_softirq(), however pool has<br />
already been freed. The concurrency UAF bug will happen.<br />
<br />
Therefore, cancelling timer again in __pool_destroy().
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395
- https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b
- https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46
- https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280
- https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81
- https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff
- https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159
- https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd
- https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46