CVE-2022-50819 (GCVE-0-2022-50819)
Vulnerability from cvelistv5
Published
2025-12-30 12:08
Modified
2025-12-30 12:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
When userspace tries to map the dmabuf and if for some reason
(e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be
set to NULL. Otherwise, when the userspace subsequently closes the
dmabuf fd, we'd try to erroneously free the invalid sg table from
release_udmabuf resulting in the following crash reported by syzbot:
general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted
5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 07/22/2022
RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]
RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]
RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c
8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14
02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2
RSP: 0018:ffffc900037efd30 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000
RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000
R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000
FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78
__dentry_kill+0x42b/0x640 fs/dcache.c:612
dentry_kill fs/dcache.c:733 [inline]
dput+0x806/0xdb0 fs/dcache.c:913
__fput+0x39c/0x9d0 fs/file_table.c:333
task_work_run+0xdd/0x1a0 kernel/task_work.c:177
ptrace_notify+0x114/0x140 kernel/signal.c:2353
ptrace_report_syscall include/linux/ptrace.h:420 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
syscall_exit_work kernel/entry/common.c:249 [inline]
syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276
__syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc1c0c35b6b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24
0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b
RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006
RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c
R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]
RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]
RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/udmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bbe2f6f90310b3a0b5de4e0dc022b36faabfd718",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dfbed8c92eb853929f4fa676ba493391dab47be4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fc285549f454c0f50f87ec945fc0bf44719c0fa4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9861e43f097a50678041f973347b3a88f2da09cf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d9c04a1b7a15b5e74b2977461d9511e497f05d8f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma-buf/udmabuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.150",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: Set ubuf-\u003esg = NULL if the creation of sg table fails\n\nWhen userspace tries to map the dmabuf and if for some reason\n(e.g. OOM) the creation of the sg table fails, ubuf-\u003esg needs to be\nset to NULL. Otherwise, when the userspace subsequently closes the\ndmabuf fd, we\u0027d try to erroneously free the invalid sg table from\nrelease_udmabuf resulting in the following crash reported by syzbot:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 0 PID: 3609 Comm: syz-executor487 Not tainted\n5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\nGoogle 07/22/2022\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114\nCode: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c\n8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 14\n02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2\nRSP: 0018:ffffc900037efd30 EFLAGS: 00010246\nRAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000\nRBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000\nR13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000\nFS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78\n __dentry_kill+0x42b/0x640 fs/dcache.c:612\n dentry_kill fs/dcache.c:733 [inline]\n dput+0x806/0xdb0 fs/dcache.c:913\n __fput+0x39c/0x9d0 fs/file_table.c:333\n task_work_run+0xdd/0x1a0 kernel/task_work.c:177\n ptrace_notify+0x114/0x140 kernel/signal.c:2353\n ptrace_report_syscall include/linux/ptrace.h:420 [inline]\n ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]\n syscall_exit_work kernel/entry/common.c:249 [inline]\n syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276\n __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]\n syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fc1c0c35b6b\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24\n0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 \u003c48\u003e 3d 00\nf0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\nRSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b\nRDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006\nRBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c\nR13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140\n \u003c/TASK\u003e\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T12:08:34.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bbe2f6f90310b3a0b5de4e0dc022b36faabfd718"
},
{
"url": "https://git.kernel.org/stable/c/dfbed8c92eb853929f4fa676ba493391dab47be4"
},
{
"url": "https://git.kernel.org/stable/c/fc285549f454c0f50f87ec945fc0bf44719c0fa4"
},
{
"url": "https://git.kernel.org/stable/c/9861e43f097a50678041f973347b3a88f2da09cf"
},
{
"url": "https://git.kernel.org/stable/c/d9c04a1b7a15b5e74b2977461d9511e497f05d8f"
}
],
"title": "udmabuf: Set ubuf-\u003esg = NULL if the creation of sg table fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50819",
"datePublished": "2025-12-30T12:08:34.225Z",
"dateReserved": "2025-12-30T12:06:07.131Z",
"dateUpdated": "2025-12-30T12:08:34.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-50819\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:15:56.307\",\"lastModified\":\"2025-12-31T20:43:05.160\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nudmabuf: Set ubuf-\u003esg = NULL if the creation of sg table fails\\n\\nWhen userspace tries to map the dmabuf and if for some reason\\n(e.g. OOM) the creation of the sg table fails, ubuf-\u003esg needs to be\\nset to NULL. Otherwise, when the userspace subsequently closes the\\ndmabuf fd, we\u0027d try to erroneously free the invalid sg table from\\nrelease_udmabuf resulting in the following crash reported by syzbot:\\n\\ngeneral protection fault, probably for non-canonical address\\n0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN\\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\\nCPU: 0 PID: 3609 Comm: syz-executor487 Not tainted\\n5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS\\nGoogle 07/22/2022\\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114\\nCode: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c\\n8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 14\\n02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2\\nRSP: 0018:ffffc900037efd30 EFLAGS: 00010246\\nRAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000\\nRDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000\\nRBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000\\nR10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000\\nR13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000\\nFS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)\\nknlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0\\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\\nCall Trace:\\n \u003cTASK\u003e\\n dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78\\n __dentry_kill+0x42b/0x640 fs/dcache.c:612\\n dentry_kill fs/dcache.c:733 [inline]\\n dput+0x806/0xdb0 fs/dcache.c:913\\n __fput+0x39c/0x9d0 fs/file_table.c:333\\n task_work_run+0xdd/0x1a0 kernel/task_work.c:177\\n ptrace_notify+0x114/0x140 kernel/signal.c:2353\\n ptrace_report_syscall include/linux/ptrace.h:420 [inline]\\n ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]\\n syscall_exit_work kernel/entry/common.c:249 [inline]\\n syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276\\n __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]\\n syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294\\n do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\nRIP: 0033:0x7fc1c0c35b6b\\nCode: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24\\n0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 \u003c48\u003e 3d 00\\nf0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44\\nRSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\\nRAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b\\nRDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006\\nRBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000\\nR10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c\\nR13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140\\n \u003c/TASK\u003e\\nModules linked in:\\n---[ end trace 0000000000000000 ]---\\nRIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]\\nRIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]\\nRIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/9861e43f097a50678041f973347b3a88f2da09cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bbe2f6f90310b3a0b5de4e0dc022b36faabfd718\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d9c04a1b7a15b5e74b2977461d9511e497f05d8f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dfbed8c92eb853929f4fa676ba493391dab47be4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fc285549f454c0f50f87ec945fc0bf44719c0fa4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…