fkie_cve-2022-50295
Vulnerability from fkie_nvd
Published
2025-09-15 15:15
Modified
2025-09-15 15:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd() Syzkaller produced the below call trace: BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0 Write of size 8 at addr 0000000000000070 by task repro/16399 CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_msg_ring+0x3cb/0x9f0 kasan_report+0xbc/0xf0 ? io_msg_ring+0x3cb/0x9f0 kasan_check_range+0x140/0x190 io_msg_ring+0x3cb/0x9f0 ? io_msg_ring_prep+0x300/0x300 io_issue_sqe+0x698/0xca0 io_submit_sqes+0x92f/0x1c30 __do_sys_io_uring_enter+0xae4/0x24b0 .... RIP: 0033:0x7f2eaf8f8289 RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289 RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004 RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0 R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... We don't have a NULL check on file_ptr in io_msg_send_fd() function, so when file_ptr is NUL src_file is also NULL and get_file() dereferences a NULL pointer and leads to above crash. Add a NULL check to fix this issue.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0163e04ea64cc3dfaa12390286e5f2f481c3b2e3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/16bbdfe5fb0e78e0acb13e45fc127e9a296913f2
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()\n\nSyzkaller produced the below call trace:\n\n BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0\n Write of size 8 at addr 0000000000000070 by task repro/16399\n\n CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0xcd/0x134\n  ? io_msg_ring+0x3cb/0x9f0\n  kasan_report+0xbc/0xf0\n  ? io_msg_ring+0x3cb/0x9f0\n  kasan_check_range+0x140/0x190\n  io_msg_ring+0x3cb/0x9f0\n  ? io_msg_ring_prep+0x300/0x300\n  io_issue_sqe+0x698/0xca0\n  io_submit_sqes+0x92f/0x1c30\n  __do_sys_io_uring_enter+0xae4/0x24b0\n....\n RIP: 0033:0x7f2eaf8f8289\n RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289\n RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004\n RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0\n R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000\n  \u003c/TASK\u003e\n Kernel panic - not syncing: panic_on_warn set ...\n\nWe don\u0027t have a NULL check on file_ptr in io_msg_send_fd() function,\nso when file_ptr is NUL src_file is also NULL and get_file()\ndereferences a NULL pointer and leads to above crash.\n\nAdd a NULL check to fix this issue."
    }
  ],
  "id": "CVE-2022-50295",
  "lastModified": "2025-09-15T15:22:27.090",
  "metrics": {},
  "published": "2025-09-15T15:15:40.880",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0163e04ea64cc3dfaa12390286e5f2f481c3b2e3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/16bbdfe5fb0e78e0acb13e45fc127e9a296913f2"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.