CVE-2022-50488
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-416
Utilización después de liberación
Fecha de publicación:
04/10/2025
Última modificación:
26/01/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
block, bfq: fix possible uaf for &#39;bfqq->bic&#39;<br />
<br />
Our test report a uaf for &#39;bfqq->bic&#39; in 5.10:<br />
<br />
==================================================================<br />
BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30<br />
<br />
CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014<br />
Call Trace:<br />
bfq_select_queue+0x378/0xa30<br />
bfq_dispatch_request+0xe8/0x130<br />
blk_mq_do_dispatch_sched+0x62/0xb0<br />
__blk_mq_sched_dispatch_requests+0x215/0x2a0<br />
blk_mq_sched_dispatch_requests+0x8f/0xd0<br />
__blk_mq_run_hw_queue+0x98/0x180<br />
__blk_mq_delay_run_hw_queue+0x22b/0x240<br />
blk_mq_run_hw_queue+0xe3/0x190<br />
blk_mq_sched_insert_requests+0x107/0x200<br />
blk_mq_flush_plug_list+0x26e/0x3c0<br />
blk_finish_plug+0x63/0x90<br />
__iomap_dio_rw+0x7b5/0x910<br />
iomap_dio_rw+0x36/0x80<br />
ext4_dio_read_iter+0x146/0x190 [ext4]<br />
ext4_file_read_iter+0x1e2/0x230 [ext4]<br />
new_sync_read+0x29f/0x400<br />
vfs_read+0x24e/0x2d0<br />
ksys_read+0xd5/0x1b0<br />
do_syscall_64+0x33/0x40<br />
entry_SYSCALL_64_after_hwframe+0x61/0xc6<br />
<br />
Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups")<br />
changes that move process to a new cgroup will allocate a new bfqq to<br />
use, however, the old bfqq and new bfqq can point to the same bic:<br />
<br />
1) Initial state, two process with io in the same cgroup.<br />
<br />
Process 1 Process 2<br />
(BIC1) (BIC2)<br />
| Λ | Λ<br />
| | | |<br />
V | V |<br />
bfqq1 bfqq2<br />
<br />
2) bfqq1 is merged to bfqq2.<br />
<br />
Process 1 Process 2<br />
(BIC1) (BIC2)<br />
| |<br />
\-------------\|<br />
V<br />
bfqq1 bfqq2(coop)<br />
<br />
3) Process 1 exit, then issue new io(denoce IOA) from Process 2.<br />
<br />
(BIC2)<br />
| Λ<br />
| |<br />
V |<br />
bfqq2(coop)<br />
<br />
4) Before IOA is completed, move Process 2 to another cgroup and issue io.<br />
<br />
Process 2<br />
(BIC2)<br />
Λ<br />
|\--------------\<br />
| V<br />
bfqq2 bfqq3<br />
<br />
Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2.<br />
If all the requests are completed, and Process 2 exit, BIC2 will be<br />
freed while there is no guarantee that bfqq2 will be freed before BIC2.<br />
<br />
Fix the problem by clearing bfqq->bic while bfqq is detached from bic.
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.198 (incluyendo) | 5.5 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.121 (incluyendo) | 5.10.175 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.46 (incluyendo) | 5.15.86 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17.14 (incluyendo) | 5.18 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.18.3 (incluyendo) | 6.0.16 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1 (incluyendo) | 6.1.2 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/094f3d9314d67691cb21ba091c1b528f6e3c4893
- https://git.kernel.org/stable/c/5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a
- https://git.kernel.org/stable/c/64dc8c732f5c2b406cc752e6aaa1bd5471159cab
- https://git.kernel.org/stable/c/761564d93c8265f65543acf0a576b32d66bfa26a
- https://git.kernel.org/stable/c/b22fd72bfebda3956efc4431b60ddfc0a51e03e0