CVE-2022-50064 (GCVE-0-2022-50064)
Vulnerability from cvelistv5
Published
2025-06-18 11:02
Modified
2025-06-18 11:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: virtio-blk: Avoid use-after-free on suspend/resume hctx->user_data is set to vq in virtblk_init_hctx(). However, vq is freed on suspend and reallocated on resume. So, hctx->user_data is invalid after resume, and it will cause use-after-free accessing which will result in the kernel crash something like below: [ 22.428391] Call Trace: [ 22.428899] <TASK> [ 22.429339] virtqueue_add_split+0x3eb/0x620 [ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0 [ 22.430789] ? kvm_clock_get_cycles+0x14/0x30 [ 22.431496] virtqueue_add_sgs+0xad/0xd0 [ 22.432108] virtblk_add_req+0xe8/0x150 [ 22.432692] virtio_queue_rqs+0xeb/0x210 [ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280 [ 22.434059] __blk_flush_plug+0xe1/0x140 [ 22.434853] blk_finish_plug+0x20/0x40 [ 22.435512] read_pages+0x20a/0x2e0 [ 22.436063] ? folio_add_lru+0x62/0xa0 [ 22.436652] page_cache_ra_unbounded+0x112/0x160 [ 22.437365] filemap_get_pages+0xe1/0x5b0 [ 22.437964] ? context_to_sid+0x70/0x100 [ 22.438580] ? sidtab_context_to_sid+0x32/0x400 [ 22.439979] filemap_read+0xcd/0x3d0 [ 22.440917] xfs_file_buffered_read+0x4a/0xc0 [ 22.441984] xfs_file_read_iter+0x65/0xd0 [ 22.442970] __kernel_read+0x160/0x2e0 [ 22.443921] bprm_execve+0x21b/0x640 [ 22.444809] do_execveat_common.isra.0+0x1a8/0x220 [ 22.446008] __x64_sys_execve+0x2d/0x40 [ 22.446920] do_syscall_64+0x37/0x90 [ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd This patch fixes this issue by getting vq from vblk, and removes virtblk_init_hctx().
References
Impacted products
Vendor Product Version
Linux Linux Version: 4e0400525691d0e676dbe002641f9a61261f1e1b
Version: 4e0400525691d0e676dbe002641f9a61261f1e1b
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/virtio_blk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2b54e14535bc34bf649372060d518ec9f2b893b3",
              "status": "affected",
              "version": "4e0400525691d0e676dbe002641f9a61261f1e1b",
              "versionType": "git"
            },
            {
              "lessThan": "8d12ec10292877751ee4463b11a63bd850bc09b5",
              "status": "affected",
              "version": "4e0400525691d0e676dbe002641f9a61261f1e1b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/block/virtio_blk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.4",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Avoid use-after-free on suspend/resume\n\nhctx-\u003euser_data is set to vq in virtblk_init_hctx().  However, vq is\nfreed on suspend and reallocated on resume.  So, hctx-\u003euser_data is\ninvalid after resume, and it will cause use-after-free accessing which\nwill result in the kernel crash something like below:\n\n[   22.428391] Call Trace:\n[   22.428899]  \u003cTASK\u003e\n[   22.429339]  virtqueue_add_split+0x3eb/0x620\n[   22.430035]  ? __blk_mq_alloc_requests+0x17f/0x2d0\n[   22.430789]  ? kvm_clock_get_cycles+0x14/0x30\n[   22.431496]  virtqueue_add_sgs+0xad/0xd0\n[   22.432108]  virtblk_add_req+0xe8/0x150\n[   22.432692]  virtio_queue_rqs+0xeb/0x210\n[   22.433330]  blk_mq_flush_plug_list+0x1b8/0x280\n[   22.434059]  __blk_flush_plug+0xe1/0x140\n[   22.434853]  blk_finish_plug+0x20/0x40\n[   22.435512]  read_pages+0x20a/0x2e0\n[   22.436063]  ? folio_add_lru+0x62/0xa0\n[   22.436652]  page_cache_ra_unbounded+0x112/0x160\n[   22.437365]  filemap_get_pages+0xe1/0x5b0\n[   22.437964]  ? context_to_sid+0x70/0x100\n[   22.438580]  ? sidtab_context_to_sid+0x32/0x400\n[   22.439979]  filemap_read+0xcd/0x3d0\n[   22.440917]  xfs_file_buffered_read+0x4a/0xc0\n[   22.441984]  xfs_file_read_iter+0x65/0xd0\n[   22.442970]  __kernel_read+0x160/0x2e0\n[   22.443921]  bprm_execve+0x21b/0x640\n[   22.444809]  do_execveat_common.isra.0+0x1a8/0x220\n[   22.446008]  __x64_sys_execve+0x2d/0x40\n[   22.446920]  do_syscall_64+0x37/0x90\n[   22.447773]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by getting vq from vblk, and removes\nvirtblk_init_hctx()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T11:02:11.276Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2b54e14535bc34bf649372060d518ec9f2b893b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d12ec10292877751ee4463b11a63bd850bc09b5"
        }
      ],
      "title": "virtio-blk: Avoid use-after-free on suspend/resume",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50064",
    "datePublished": "2025-06-18T11:02:11.276Z",
    "dateReserved": "2025-06-18T10:57:27.405Z",
    "dateUpdated": "2025-06-18T11:02:11.276Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50064\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T11:15:35.157\",\"lastModified\":\"2025-06-18T13:47:40.833\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio-blk: Avoid use-after-free on suspend/resume\\n\\nhctx-\u003euser_data is set to vq in virtblk_init_hctx().  However, vq is\\nfreed on suspend and reallocated on resume.  So, hctx-\u003euser_data is\\ninvalid after resume, and it will cause use-after-free accessing which\\nwill result in the kernel crash something like below:\\n\\n[   22.428391] Call Trace:\\n[   22.428899]  \u003cTASK\u003e\\n[   22.429339]  virtqueue_add_split+0x3eb/0x620\\n[   22.430035]  ? __blk_mq_alloc_requests+0x17f/0x2d0\\n[   22.430789]  ? kvm_clock_get_cycles+0x14/0x30\\n[   22.431496]  virtqueue_add_sgs+0xad/0xd0\\n[   22.432108]  virtblk_add_req+0xe8/0x150\\n[   22.432692]  virtio_queue_rqs+0xeb/0x210\\n[   22.433330]  blk_mq_flush_plug_list+0x1b8/0x280\\n[   22.434059]  __blk_flush_plug+0xe1/0x140\\n[   22.434853]  blk_finish_plug+0x20/0x40\\n[   22.435512]  read_pages+0x20a/0x2e0\\n[   22.436063]  ? folio_add_lru+0x62/0xa0\\n[   22.436652]  page_cache_ra_unbounded+0x112/0x160\\n[   22.437365]  filemap_get_pages+0xe1/0x5b0\\n[   22.437964]  ? context_to_sid+0x70/0x100\\n[   22.438580]  ? sidtab_context_to_sid+0x32/0x400\\n[   22.439979]  filemap_read+0xcd/0x3d0\\n[   22.440917]  xfs_file_buffered_read+0x4a/0xc0\\n[   22.441984]  xfs_file_read_iter+0x65/0xd0\\n[   22.442970]  __kernel_read+0x160/0x2e0\\n[   22.443921]  bprm_execve+0x21b/0x640\\n[   22.444809]  do_execveat_common.isra.0+0x1a8/0x220\\n[   22.446008]  __x64_sys_execve+0x2d/0x40\\n[   22.446920]  do_syscall_64+0x37/0x90\\n[   22.447773]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n\\nThis patch fixes this issue by getting vq from vblk, and removes\\nvirtblk_init_hctx().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio-blk: Evita el Use-After-Free al suspender/reanudar. hctx-\u0026gt;user_data est\u00e1 configurado como vq en virtblk_init_hctx(). Sin embargo, vq se libera al suspender y se reasigna al reanudar. Por lo tanto, hctx-\u0026gt;user_data no es v\u00e1lido despu\u00e9s de reanudar y provocar\u00e1 el acceso despu\u00e9s de la liberaci\u00f3n, lo que provocar\u00e1 un fallo del kernel similar al siguiente: [ 22.428391] Seguimiento de llamadas: [ 22.428899]  [ 22.429339] virtqueue_add_split+0x3eb/0x620 [ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0 [ 22.430789] ? kvm_clock_get_cycles+0x14/0x30 [ 22.431496] virtqueue_add_sgs+0xad/0xd0 [ 22.432108] virtblk_add_req+0xe8/0x150 [ 22.432692] virtio_queue_rqs+0xeb/0x210 [ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280 [ 22.434059] __blk_flush_plug+0xe1/0x140 [ 22.434853] blk_finish_plug+0x20/0x40 [ 22.435512] read_pages+0x20a/0x2e0 [ 22.436063] ? folio_add_lru+0x62/0xa0 [ 22.436652] page_cache_ra_unbounded+0x112/0x160 [ 22.437365] filemap_get_pages+0xe1/0x5b0 [ 22.437964] ? context_to_sid+0x70/0x100 [ 22.438580] ? sidtab_context_to_sid+0x32/0x400 [ 22.439979] filemap_read+0xcd/0x3d0 [ 22.440917] xfs_file_buffered_read+0x4a/0xc0 [ 22.441984] xfs_file_read_iter+0x65/0xd0 [ 22.442970] __kernel_read+0x160/0x2e0 [ 22.443921] bprm_execve+0x21b/0x640 [ 22.444809] do_execveat_common.isra.0+0x1a8/0x220 [ 22.446008] __x64_sys_execve+0x2d/0x40 [ 22.446920] do_syscall_64+0x37/0x90 [ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd Este parche corrige este problema obteniendo vq de vblk y elimina virtblk_init_hctx().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2b54e14535bc34bf649372060d518ec9f2b893b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8d12ec10292877751ee4463b11a63bd850bc09b5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.