CVE-2022-49062
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
26/02/2025
Last modified:
01/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
cachefiles: Fix KASAN slab-out-of-bounds in cachefiles_set_volume_xattr<br />
<br />
Use the actual length of volume coherency data when setting the<br />
xattr to avoid the following KASAN report.<br />
<br />
BUG: KASAN: slab-out-of-bounds in cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]<br />
Write of size 4 at addr ffff888101e02af4 by task kworker/6:0/1347<br />
<br />
CPU: 6 PID: 1347 Comm: kworker/6:0 Kdump: loaded Not tainted 5.18.0-rc1-nfs-fscache-netfs+ #13<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014<br />
Workqueue: events fscache_create_volume_work [fscache]<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x45/0x5a<br />
print_report.cold+0x5e/0x5db<br />
? __lock_text_start+0x8/0x8<br />
? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]<br />
kasan_report+0xab/0x120<br />
? cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]<br />
kasan_check_range+0xf5/0x1d0<br />
memcpy+0x39/0x60<br />
cachefiles_set_volume_xattr+0xa0/0x350 [cachefiles]<br />
cachefiles_acquire_volume+0x2be/0x500 [cachefiles]<br />
? __cachefiles_free_volume+0x90/0x90 [cachefiles]<br />
fscache_create_volume_work+0x68/0x160 [fscache]<br />
process_one_work+0x3b7/0x6a0<br />
worker_thread+0x2c4/0x650<br />
? process_one_work+0x6a0/0x6a0<br />
kthread+0x16c/0x1a0<br />
? kthread_complete_and_exit+0x20/0x20<br />
ret_from_fork+0x22/0x30<br />
<br />
<br />
Allocated by task 1347:<br />
kasan_save_stack+0x1e/0x40<br />
__kasan_kmalloc+0x81/0xa0<br />
cachefiles_set_volume_xattr+0x76/0x350 [cachefiles]<br />
cachefiles_acquire_volume+0x2be/0x500 [cachefiles]<br />
fscache_create_volume_work+0x68/0x160 [fscache]<br />
process_one_work+0x3b7/0x6a0<br />
worker_thread+0x2c4/0x650<br />
kthread+0x16c/0x1a0<br />
ret_from_fork+0x22/0x30<br />
<br />
The buggy address belongs to the object at ffff888101e02af0<br />
which belongs to the cache kmalloc-8 of size 8<br />
The buggy address is located 4 bytes inside of<br />
8-byte region [ffff888101e02af0, ffff888101e02af8)<br />
<br />
The buggy address belongs to the physical page:<br />
page:00000000a2292d70 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101e02<br />
flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)<br />
raw: 0017ffffc0000200 0000000000000000 dead000000000001 ffff888100042280<br />
raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000<br />
page dumped because: kasan: bad access detected<br />
<br />
Memory state around the buggy address:<br />
ffff888101e02980: fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc<br />
ffff888101e02a00: 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00<br />
>ffff888101e02a80: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc 04 fc<br />
^<br />
ffff888101e02b00: fc fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc<br />
ffff888101e02b80: fc fc 00 fc fc fc fc 00 fc fc fc fc 00 fc fc fc<br />
==================================================================
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (including) | 5.17.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.18:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page