github - ghsa-9g9c-838j-m3cg

ghsa-9g9c-838j-m3cg

Vulnerability from github

Published

2025-10-22 15:31

Modified

2025-10-22 15:31

Details

In the Linux kernel, the following vulnerability has been resolved:

dm thin: Fix UAF in run_timer_softirq()

When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows:

BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 Call Trace: dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0

One of the concurrency UAF can be shown as below:

    use                                  free

This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3

The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen.

Therefore, cancelling timer again in __pool_destroy().

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-50563"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T14:15:41Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: Fix UAF in run_timer_softirq()\n\nWhen dm_resume() and dm_destroy() are concurrent, it will\nlead to UAF, as follows:\n\n BUG: KASAN: use-after-free in __run_timers+0x173/0x710\n Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0\n\u003csnip\u003e\n Call Trace:\n  \u003cIRQ\u003e\n  dump_stack_lvl+0x73/0x9f\n  print_report.cold+0x132/0xaa2\n  _raw_spin_lock_irqsave+0xcd/0x160\n  __run_timers+0x173/0x710\n  kasan_report+0xad/0x110\n  __run_timers+0x173/0x710\n  __asan_store8+0x9c/0x140\n  __run_timers+0x173/0x710\n  call_timer_fn+0x310/0x310\n  pvclock_clocksource_read+0xfa/0x250\n  kvm_clock_read+0x2c/0x70\n  kvm_clock_get_cycles+0xd/0x20\n  ktime_get+0x5c/0x110\n  lapic_next_event+0x38/0x50\n  clockevents_program_event+0xf1/0x1e0\n  run_timer_softirq+0x49/0x90\n  __do_softirq+0x16e/0x62c\n  __irq_exit_rcu+0x1fa/0x270\n  irq_exit_rcu+0x12/0x20\n  sysvec_apic_timer_interrupt+0x8e/0xc0\n\nOne of the concurrency UAF can be shown as below:\n\n        use                                  free\ndo_resume                           |\n  __find_device_hash_cell           |\n    dm_get                          |\n      atomic_inc(\u0026md-\u003eholders)      |\n                                    | dm_destroy\n                                    |   __dm_destroy\n                                    |     if (!dm_suspended_md(md))\n                                    |     atomic_read(\u0026md-\u003eholders)\n                                    |     msleep(1)\n  dm_resume                         |\n    __dm_resume                     |\n      dm_table_resume_targets       |\n        pool_resume                 |\n          do_waker  #add delay work |\n  dm_put                            |\n    atomic_dec(\u0026md-\u003eholders)        |\n                                    |     dm_table_destroy\n                                    |       pool_dtr\n                                    |         __pool_dec\n                                    |           __pool_destroy\n                                    |             destroy_workqueue\n                                    |             kfree(pool) # free pool\n        time out\n__do_softirq\n  run_timer_softirq # pool has already been freed\n\nThis can be easily reproduced using:\n  1. create thin-pool\n  2. dmsetup suspend pool\n  3. dmsetup resume pool\n  4. dmsetup remove_all # Concurrent with 3\n\nThe root cause of this UAF bug is that dm_resume() adds timer after\ndm_destroy() skips cancelling the timer because of suspend status.\nAfter timeout, it will call run_timer_softirq(), however pool has\nalready been freed. The concurrency UAF bug will happen.\n\nTherefore, cancelling timer again in __pool_destroy().",
  "id": "GHSA-9g9c-838j-m3cg",
  "modified": "2025-10-22T15:31:09Z",
  "published": "2025-10-22T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50563"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-50563 (GCVE-0-2022-50563)

Vulnerability from cvelistv5

Published

2025-10-22 13:23

Modified

2025-10-22 13:23

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: dm thin: Fix UAF in run_timer_softirq() When dm_resume() and dm_destroy() are concurrent, it will lead to UAF, as follows: BUG: KASAN: use-after-free in __run_timers+0x173/0x710 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0 <snip> Call Trace: <IRQ> dump_stack_lvl+0x73/0x9f print_report.cold+0x132/0xaa2 _raw_spin_lock_irqsave+0xcd/0x160 __run_timers+0x173/0x710 kasan_report+0xad/0x110 __run_timers+0x173/0x710 __asan_store8+0x9c/0x140 __run_timers+0x173/0x710 call_timer_fn+0x310/0x310 pvclock_clocksource_read+0xfa/0x250 kvm_clock_read+0x2c/0x70 kvm_clock_get_cycles+0xd/0x20 ktime_get+0x5c/0x110 lapic_next_event+0x38/0x50 clockevents_program_event+0xf1/0x1e0 run_timer_softirq+0x49/0x90 __do_softirq+0x16e/0x62c __irq_exit_rcu+0x1fa/0x270 irq_exit_rcu+0x12/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0 One of the concurrency UAF can be shown as below: use free do_resume | __find_device_hash_cell | dm_get | atomic_inc(&md->holders) | | dm_destroy | __dm_destroy | if (!dm_suspended_md(md)) | atomic_read(&md->holders) | msleep(1) dm_resume | __dm_resume | dm_table_resume_targets | pool_resume | do_waker #add delay work | dm_put | atomic_dec(&md->holders) | | dm_table_destroy | pool_dtr | __pool_dec | __pool_destroy | destroy_workqueue | kfree(pool) # free pool time out __do_softirq run_timer_softirq # pool has already been freed This can be easily reproduced using: 1. create thin-pool 2. dmsetup suspend pool 3. dmsetup resume pool 4. dmsetup remove_all # Concurrent with 3 The root cause of this UAF bug is that dm_resume() adds timer after dm_destroy() skips cancelling the timer because of suspend status. After timeout, it will call run_timer_softirq(), however pool has already been freed. The concurrency UAF bug will happen. Therefore, cancelling timer again in __pool_destroy().

References

URL

Tags

	https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81
	https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46
	https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46
	https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280
	https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b
	https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395
	https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159
	https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd
	https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff

Impacted products

Vendor

Product

Version

Linux

Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5
Version: 991d9fa02da0dd1f843dc011376965e0c8c6c9b5

Linux

Version: 3.2

Show details on NVD website