ghsa-pwv6-q4qx-8vf8
Vulnerability from github
Published
2025-09-15 15:31
Modified
2025-09-15 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()

Syzkaller produced the below call trace:

BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0 Write of size 8 at addr 0000000000000070 by task repro/16399

CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 Call Trace: dump_stack_lvl+0xcd/0x134 ? io_msg_ring+0x3cb/0x9f0 kasan_report+0xbc/0xf0 ? io_msg_ring+0x3cb/0x9f0 kasan_check_range+0x140/0x190 io_msg_ring+0x3cb/0x9f0 ? io_msg_ring_prep+0x300/0x300 io_issue_sqe+0x698/0xca0 io_submit_sqes+0x92f/0x1c30 __do_sys_io_uring_enter+0xae4/0x24b0 .... RIP: 0033:0x7f2eaf8f8289 RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289 RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004 RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0 R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000 Kernel panic - not syncing: panic_on_warn set ...

We don't have a NULL check on file_ptr in io_msg_send_fd() function, so when file_ptr is NUL src_file is also NULL and get_file() dereferences a NULL pointer and leads to above crash.

Add a NULL check to fix this issue.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50295"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T15:15:40Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()\n\nSyzkaller produced the below call trace:\n\n BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0\n Write of size 8 at addr 0000000000000070 by task repro/16399\n\n CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0xcd/0x134\n  ? io_msg_ring+0x3cb/0x9f0\n  kasan_report+0xbc/0xf0\n  ? io_msg_ring+0x3cb/0x9f0\n  kasan_check_range+0x140/0x190\n  io_msg_ring+0x3cb/0x9f0\n  ? io_msg_ring_prep+0x300/0x300\n  io_issue_sqe+0x698/0xca0\n  io_submit_sqes+0x92f/0x1c30\n  __do_sys_io_uring_enter+0xae4/0x24b0\n....\n RIP: 0033:0x7f2eaf8f8289\n RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa\n RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289\n RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004\n RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039\n R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0\n R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000\n  \u003c/TASK\u003e\n Kernel panic - not syncing: panic_on_warn set ...\n\nWe don\u0027t have a NULL check on file_ptr in io_msg_send_fd() function,\nso when file_ptr is NUL src_file is also NULL and get_file()\ndereferences a NULL pointer and leads to above crash.\n\nAdd a NULL check to fix this issue.",
  "id": "GHSA-pwv6-q4qx-8vf8",
  "modified": "2025-09-15T15:31:26Z",
  "published": "2025-09-15T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50295"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0163e04ea64cc3dfaa12390286e5f2f481c3b2e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/16bbdfe5fb0e78e0acb13e45fc127e9a296913f2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.