ghsa-hr8j-x4gj-pqf8
Vulnerability from github
Published
2025-02-27 21:32
Modified
2025-02-27 21:32
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

dm: fix use-after-free in dm_cleanup_zoned_dev()

dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing:

blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()-> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free()

Otherwise, RCU callback may be executed first and dm_cleanup_zoned_dev() will touch free'd memory:

BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681

CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0+0x1f/0x150 ? dm_cleanup_zoned_dev+0x33/0xd0 kasan_report.cold+0x7f/0x11b ? dm_cleanup_zoned_dev+0x33/0xd0 dm_cleanup_zoned_dev+0x33/0xd0 __dm_destroy+0x26a/0x400 ? dm_blk_ioctl+0x230/0x230 ? up_write+0xd8/0x270 dev_remove+0x156/0x1d0 ctl_ioctl+0x269/0x530 ? table_clear+0x140/0x140 ? lock_release+0xb2/0x750 ? remove_all+0x40/0x40 ? rcu_read_lock_sched_held+0x12/0x70 ? lock_downgrade+0x3c0/0x3c0 ? rcu_read_lock_sched_held+0x12/0x70 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb9/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fb6dfa95c27

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix use-after-free in dm_cleanup_zoned_dev()\n\ndm_cleanup_zoned_dev() uses queue, so it must be called\nbefore blk_cleanup_disk() starts its killing:\n\nblk_cleanup_disk-\u003eblk_cleanup_queue()-\u003ekobject_put()-\u003eblk_release_queue()-\u003e\n-\u003e...RCU...-\u003eblk_free_queue_rcu()-\u003ekmem_cache_free()\n\nOtherwise, RCU callback may be executed first and\ndm_cleanup_zoned_dev() will touch free\u0027d memory:\n\n BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0\n Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681\n\n CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x57/0x7d\n  print_address_description.constprop.0+0x1f/0x150\n  ? dm_cleanup_zoned_dev+0x33/0xd0\n  kasan_report.cold+0x7f/0x11b\n  ? dm_cleanup_zoned_dev+0x33/0xd0\n  dm_cleanup_zoned_dev+0x33/0xd0\n  __dm_destroy+0x26a/0x400\n  ? dm_blk_ioctl+0x230/0x230\n  ? up_write+0xd8/0x270\n  dev_remove+0x156/0x1d0\n  ctl_ioctl+0x269/0x530\n  ? table_clear+0x140/0x140\n  ? lock_release+0xb2/0x750\n  ? remove_all+0x40/0x40\n  ? rcu_read_lock_sched_held+0x12/0x70\n  ? lock_downgrade+0x3c0/0x3c0\n  ? rcu_read_lock_sched_held+0x12/0x70\n  dm_ctl_ioctl+0xa/0x10\n  __x64_sys_ioctl+0xb9/0xf0\n  do_syscall_64+0x3b/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fb6dfa95c27",
  "id": "GHSA-hr8j-x4gj-pqf8",
  "modified": "2025-02-27T21:32:13Z",
  "published": "2025-02-27T21:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49270"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0987f00a76a17aa7213da492c00ed9e5a6210c73"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/43a043aed964659bc69ef81f266912b73c80d837"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/588b7f5df0cb64f281290c7672470c006abe7160"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fdfe414ca28ddfd562c233fb27385cf820de03e8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.