Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49407

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
26/02/2025
Last modified:
22/09/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dlm: fix plock invalid read<br /> <br /> This patch fixes an invalid read showed by KASAN. A unlock will allocate a<br /> "struct plock_op" and a followed send_op() will append it to a global<br /> send_list data structure. In some cases a followed dev_read() moves it<br /> to recv_list and dev_write() will cast it to "struct plock_xop" and access<br /> fields which are only available in those structures. At this point an<br /> invalid read happens by accessing those fields.<br /> <br /> To fix this issue the "callback" field is moved to "struct plock_op" to<br /> indicate that a cast to "plock_xop" is allowed and does the additional<br /> "plock_xop" handling if set.<br /> <br /> Example of the KASAN output which showed the invalid read:<br /> <br /> [ 2064.296453] ==================================================================<br /> [ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]<br /> [ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484<br /> [ 2064.308168]<br /> [ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9<br /> [ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011<br /> [ 2064.311618] Call Trace:<br /> [ 2064.312218] dump_stack_lvl+0x56/0x7b<br /> [ 2064.313150] print_address_description.constprop.8+0x21/0x150<br /> [ 2064.314578] ? dev_write+0x52b/0x5a0 [dlm]<br /> [ 2064.315610] ? dev_write+0x52b/0x5a0 [dlm]<br /> [ 2064.316595] kasan_report.cold.14+0x7f/0x11b<br /> [ 2064.317674] ? dev_write+0x52b/0x5a0 [dlm]<br /> [ 2064.318687] dev_write+0x52b/0x5a0 [dlm]<br /> [ 2064.319629] ? dev_read+0x4a0/0x4a0 [dlm]<br /> [ 2064.320713] ? bpf_lsm_kernfs_init_security+0x10/0x10<br /> [ 2064.321926] vfs_write+0x17e/0x930<br /> [ 2064.322769] ? __fget_light+0x1aa/0x220<br /> [ 2064.323753] ksys_write+0xf1/0x1c0<br /> [ 2064.324548] ? __ia32_sys_read+0xb0/0xb0<br /> [ 2064.325464] do_syscall_64+0x3a/0x80<br /> [ 2064.326387] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [ 2064.327606] RIP: 0033:0x7f807e4ba96f<br /> [ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48<br /> [ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001<br /> [ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f<br /> [ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010<br /> [ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001<br /> [ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80<br /> [ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001<br /> [ 2064.342857]<br /> [ 2064.343226] Allocated by task 12438:<br /> [ 2064.344057] kasan_save_stack+0x1c/0x40<br /> [ 2064.345079] __kasan_kmalloc+0x84/0xa0<br /> [ 2064.345933] kmem_cache_alloc_trace+0x13b/0x220<br /> [ 2064.346953] dlm_posix_unlock+0xec/0x720 [dlm]<br /> [ 2064.348811] do_lock_file_wait.part.32+0xca/0x1d0<br /> [ 2064.351070] fcntl_setlk+0x281/0xbc0<br /> [ 2064.352879] do_fcntl+0x5e4/0xfe0<br /> [ 2064.354657] __x64_sys_fcntl+0x11f/0x170<br /> [ 2064.356550] do_syscall_64+0x3a/0x80<br /> [ 2064.358259] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [ 2064.360745]<br /> [ 2064.361511] Last potentially related work creation:<br /> [ 2064.363957] kasan_save_stack+0x1c/0x40<br /> [ 2064.365811] __kasan_record_aux_stack+0xaf/0xc0<br /> [ 2064.368100] call_rcu+0x11b/0xf70<br /> [ 2064.369785] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]<br /> [ 2064.372404] receive_from_sock+0x290/0x770 [dlm]<br /> [ 2064.374607] process_recv_sockets+0x32/0x40 [dlm]<br /> [ 2064.377290] process_one_work+0x9a8/0x16e0<br /> [ 2064.379357] worker_thread+0x87/0xbf0<br /> [ 2064.381188] kthread+0x3ac/0x490<br /> [ 2064.383460] ret_from_fork+0x22/0x30<br /> [ 2064.385588]<br /> [ 2064.386518] Second to last potentially related work creation:<br /> [ 2064.389219] kasan_save_stack+0x1c/0x40<br /> [ 2064.391043] __kasan_record_aux_stack+0xaf/0xc0<br /> [ 2064.393303] call_rcu+0x11b/0xf70<br /> [ 2064.394885] dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]<br /> [ 2064.397694] receive_from_sock+0x290/0x770 <br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
7.10
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.22 (including) 4.9.318 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.14.283 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.247 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.198 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.121 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.46 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.17.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18 (including) 5.18.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools