CVE-2022-49377 (GCVE-0-2022-49377)
Vulnerability from cvelistv5
Published
2025-02-26 02:11
Modified
2025-05-04 08:36
Summary
In the Linux kernel, the following vulnerability has been resolved: blk-mq: don't touch ->tagset in blk_mq_get_sq_hctx blk_mq_run_hw_queues() could be run when there isn't queued request and after queue is cleaned up, at that time tagset is freed, because tagset lifetime is covered by driver, and often freed after blk_cleanup_queue() returns. So don't touch ->tagset for figuring out current default hctx by the mapping built in request queue, so use-after-free on tagset can be avoided. Meantime this way should be fast than retrieving mapping from tagset.
Impacted products
Vendor Product Version
Linux Linux Version: b6e68ee82585f2ee890b0a897a6aacbf49a467bb
Version: b6e68ee82585f2ee890b0a897a6aacbf49a467bb
Version: b6e68ee82585f2ee890b0a897a6aacbf49a467bb
Version: b6e68ee82585f2ee890b0a897a6aacbf49a467bb
Create a notification for this product.
   Linux Linux Version: 5.12
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49377",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:16:30.402440Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:33.551Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-mq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "460aa288c5cd0544dcf933a2f0ad0e8c6d2d35ff",
              "status": "affected",
              "version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
              "versionType": "git"
            },
            {
              "lessThan": "b140bac470b4f707cda59c7266214246238661df",
              "status": "affected",
              "version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
              "versionType": "git"
            },
            {
              "lessThan": "70fdd922c7bf8949f8df109cf2635dff64c90392",
              "status": "affected",
              "version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
              "versionType": "git"
            },
            {
              "lessThan": "5d05426e2d5fd7df8afc866b78c36b37b00188b7",
              "status": "affected",
              "version": "b6e68ee82585f2ee890b0a897a6aacbf49a467bb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-mq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.47",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.47",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.15",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.4",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: don\u0027t touch -\u003etagset in blk_mq_get_sq_hctx\n\nblk_mq_run_hw_queues() could be run when there isn\u0027t queued request and\nafter queue is cleaned up, at that time tagset is freed, because tagset\nlifetime is covered by driver, and often freed after blk_cleanup_queue()\nreturns.\n\nSo don\u0027t touch -\u003etagset for figuring out current default hctx by the mapping\nbuilt in request queue, so use-after-free on tagset can be avoided. Meantime\nthis way should be fast than retrieving mapping from tagset."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:36:23.254Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/460aa288c5cd0544dcf933a2f0ad0e8c6d2d35ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/b140bac470b4f707cda59c7266214246238661df"
        },
        {
          "url": "https://git.kernel.org/stable/c/70fdd922c7bf8949f8df109cf2635dff64c90392"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d05426e2d5fd7df8afc866b78c36b37b00188b7"
        }
      ],
      "title": "blk-mq: don\u0027t touch -\u003etagset in blk_mq_get_sq_hctx",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49377",
    "datePublished": "2025-02-26T02:11:16.607Z",
    "dateReserved": "2025-02-26T02:08:31.558Z",
    "dateUpdated": "2025-05-04T08:36:23.254Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49377\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-26T07:01:14.357\",\"lastModified\":\"2025-03-25T14:58:01.213\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-mq: don\u0027t touch -\u003etagset in blk_mq_get_sq_hctx\\n\\nblk_mq_run_hw_queues() could be run when there isn\u0027t queued request and\\nafter queue is cleaned up, at that time tagset is freed, because tagset\\nlifetime is covered by driver, and often freed after blk_cleanup_queue()\\nreturns.\\n\\nSo don\u0027t touch -\u003etagset for figuring out current default hctx by the mapping\\nbuilt in request queue, so use-after-free on tagset can be avoided. Meantime\\nthis way should be fast than retrieving mapping from tagset.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blk-mq: no toque -\u0026gt;tagset en blk_mq_get_sq_hctx blk_mq_run_hw_queues() podr\u00eda ejecutarse cuando no hay una solicitud en cola y despu\u00e9s de que se limpie la cola, en ese momento se libera el conjunto de etiquetas, porque el controlador cubre la vida \u00fatil del conjunto de etiquetas y, a menudo, se libera despu\u00e9s de que blk_cleanup_queue() regrese. Por lo tanto, no toque -\u0026gt;tagset para averiguar el hctx predeterminado actual por el mapeo integrado en la cola de solicitudes, por lo que se puede evitar el use-after-free en el conjunto de etiquetas. Mientras tanto, esta forma deber\u00eda ser m\u00e1s r\u00e1pida que recuperar el mapeo del conjunto de etiquetas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.12\",\"versionEndExcluding\":\"5.15.47\",\"matchCriteriaId\":\"E8CE53EB-22BF-479D-A782-6BDD74CD210E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.17.15\",\"matchCriteriaId\":\"53E7AA2E-2FB4-45CA-A22B-08B4EDBB51AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.18\",\"versionEndExcluding\":\"5.18.4\",\"matchCriteriaId\":\"FA6D643C-6D6A-4821-8A8D-B5776B8F0103\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/460aa288c5cd0544dcf933a2f0ad0e8c6d2d35ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5d05426e2d5fd7df8afc866b78c36b37b00188b7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/70fdd922c7bf8949f8df109cf2635dff64c90392\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b140bac470b4f707cda59c7266214246238661df\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-02-26T02:11:16.607Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-mq: don\u0027t touch -\u003etagset in blk_mq_get_sq_hctx\\n\\nblk_mq_run_hw_queues() could be run when there isn\u0027t queued request and\\nafter queue is cleaned up, at that time tagset is freed, because tagset\\nlifetime is covered by driver, and often freed after blk_cleanup_queue()\\nreturns.\\n\\nSo don\u0027t touch -\u003etagset for figuring out current default hctx by the mapping\\nbuilt in request queue, so use-after-free on tagset can be avoided. Meantime\\nthis way should be fast than retrieving mapping from tagset.\"}], \"affected\": [{\"product\": \"Linux\", \"vendor\": \"Linux\", \"defaultStatus\": \"unaffected\", \"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"programFiles\": [\"block/blk-mq.c\"], \"versions\": [{\"version\": \"b6e68ee82585f2ee890b0a897a6aacbf49a467bb\", \"lessThan\": \"460aa288c5cd0544dcf933a2f0ad0e8c6d2d35ff\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"b6e68ee82585f2ee890b0a897a6aacbf49a467bb\", \"lessThan\": \"b140bac470b4f707cda59c7266214246238661df\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"b6e68ee82585f2ee890b0a897a6aacbf49a467bb\", \"lessThan\": \"70fdd922c7bf8949f8df109cf2635dff64c90392\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"b6e68ee82585f2ee890b0a897a6aacbf49a467bb\", \"lessThan\": \"5d05426e2d5fd7df8afc866b78c36b37b00188b7\", \"status\": \"affected\", \"versionType\": \"git\"}]}, {\"product\": \"Linux\", \"vendor\": \"Linux\", \"defaultStatus\": \"affected\", \"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"programFiles\": [\"block/blk-mq.c\"], \"versions\": [{\"version\": \"5.12\", \"status\": \"affected\"}, {\"version\": \"0\", \"lessThan\": \"5.12\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.15.47\", \"lessThanOrEqual\": \"5.15.*\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.17.15\", \"lessThanOrEqual\": \"5.17.*\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.18.4\", \"lessThanOrEqual\": \"5.18.*\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.19\", \"lessThanOrEqual\": \"*\", \"status\": \"unaffected\", \"versionType\": \"original_commit_for_fix\"}]}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/460aa288c5cd0544dcf933a2f0ad0e8c6d2d35ff\"}, {\"url\": \"https://git.kernel.org/stable/c/b140bac470b4f707cda59c7266214246238661df\"}, {\"url\": \"https://git.kernel.org/stable/c/70fdd922c7bf8949f8df109cf2635dff64c90392\"}, {\"url\": \"https://git.kernel.org/stable/c/5d05426e2d5fd7df8afc866b78c36b37b00188b7\"}], \"title\": \"blk-mq: don\u0027t touch -\u003etagset in blk_mq_get_sq_hctx\", \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-49377\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:16:30.402440Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:16:31.683Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-49377\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Linux\", \"dateReserved\": \"2025-02-26T02:08:31.558Z\", \"datePublished\": \"2025-02-26T02:11:16.607Z\", \"dateUpdated\": \"2025-02-27T18:22:33.551Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…