fkie_cve-2022-50563
Vulnerability from fkie_nvd
Published
2025-10-22 14:15
Modified
2025-10-22 21:12
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: dm thin: Fix UAF in run_timer_softirq() When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows: BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 <snip> Call Trace: <IRQ> dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0 One of the concurrency UAF can be shown as below: use free do_resume | __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume | __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | dm_put | atomic_dec(&md->holders) | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3 The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen. Therefore, cancelling timer again in __pool_destroy().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix UAF in run_timer_softirq()\n\nWhen dm_resume() and dm_destroy() are concurrent, it will\nlead to UAF, as follows:\n\n BUG: KASAN: use-after-free in __run_timers+0x173/0x710\n Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0\n\u003csnip\u003e\n Call Trace:\n  \u003cIRQ\u003e\n  dump_stack_lvl+0x73/0x9f\n  print_report.cold+0x132/0xaa2\n  _raw_spin_lock_irqsave+0xcd/0x160\n  __run_timers+0x173/0x710\n  kasan_report+0xad/0x110\n  __run_timers+0x173/0x710\n  __asan_store8+0x9c/0x140\n  __run_timers+0x173/0x710\n  call_timer_fn+0x310/0x310\n  pvclock_clocksource_read+0xfa/0x250\n  kvm_clock_read+0x2c/0x70\n  kvm_clock_get_cycles+0xd/0x20\n  ktime_get+0x5c/0x110\n  lapic_next_event+0x38/0x50\n  clockevents_program_event+0xf1/0x1e0\n  run_timer_softirq+0x49/0x90\n  __do_softirq+0x16e/0x62c\n  __irq_exit_rcu+0x1fa/0x270\n  irq_exit_rcu+0x12/0x20\n  sysvec_apic_timer_interrupt+0x8e/0xc0\n\nOne of the concurrency UAF can be shown as below:\n\n        use                                  free\ndo_resume                           |\n  __find_device_hash_cell           |\n    dm_get                          |\n      atomic_inc(\u0026md-\u003eholders)      |\n                                    | dm_destroy\n                                    |   __dm_destroy\n                                    |     if (!dm_suspended_md(md))\n                                    |     atomic_read(\u0026md-\u003eholders)\n                                    |     msleep(1)\n  dm_resume                         |\n    __dm_resume                     |\n      dm_table_resume_targets       |\n        pool_resume                 |\n          do_waker  #add delay work |\n  dm_put                            |\n    atomic_dec(\u0026md-\u003eholders)        |\n                                    |     dm_table_destroy\n                                    |       pool_dtr\n                                    |         __pool_dec\n                                    |           __pool_destroy\n                                    |             destroy_workqueue\n                                    |             kfree(pool) # free pool\n        time out\n__do_softirq\n  run_timer_softirq # pool has already been freed\n\nThis can be easily reproduced using:\n  1. create thin-pool\n  2. dmsetup suspend pool\n  3. dmsetup resume pool\n  4. dmsetup remove_all # Concurrent with 3\n\nThe root cause of this UAF bug is that dm_resume() adds timer after\ndm_destroy() skips cancelling the timer because of suspend status.\nAfter timeout, it will call run_timer_softirq(), however pool has\nalready been freed. The concurrency UAF bug will happen.\n\nTherefore, cancelling timer again in __pool_destroy()."
    }
  ],
  "id": "CVE-2022-50563",
  "lastModified": "2025-10-22T21:12:48.953",
  "metrics": {},
  "published": "2025-10-22T14:15:41.067",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.