fkie_cve-2022-50064
Vulnerability from fkie_nvd
Published
2025-06-18 11:15
Modified
2025-06-18 13:47
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: virtio-blk: Avoid use-after-free on suspend/resume hctx->user_data is set to vq in virtblk_init_hctx(). However, vq is freed on suspend and reallocated on resume. So, hctx->user_data is invalid after resume, and it will cause use-after-free accessing which will result in the kernel crash something like below: [ 22.428391] Call Trace: [ 22.428899] <TASK> [ 22.429339] virtqueue_add_split+0x3eb/0x620 [ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0 [ 22.430789] ? kvm_clock_get_cycles+0x14/0x30 [ 22.431496] virtqueue_add_sgs+0xad/0xd0 [ 22.432108] virtblk_add_req+0xe8/0x150 [ 22.432692] virtio_queue_rqs+0xeb/0x210 [ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280 [ 22.434059] __blk_flush_plug+0xe1/0x140 [ 22.434853] blk_finish_plug+0x20/0x40 [ 22.435512] read_pages+0x20a/0x2e0 [ 22.436063] ? folio_add_lru+0x62/0xa0 [ 22.436652] page_cache_ra_unbounded+0x112/0x160 [ 22.437365] filemap_get_pages+0xe1/0x5b0 [ 22.437964] ? context_to_sid+0x70/0x100 [ 22.438580] ? sidtab_context_to_sid+0x32/0x400 [ 22.439979] filemap_read+0xcd/0x3d0 [ 22.440917] xfs_file_buffered_read+0x4a/0xc0 [ 22.441984] xfs_file_read_iter+0x65/0xd0 [ 22.442970] __kernel_read+0x160/0x2e0 [ 22.443921] bprm_execve+0x21b/0x640 [ 22.444809] do_execveat_common.isra.0+0x1a8/0x220 [ 22.446008] __x64_sys_execve+0x2d/0x40 [ 22.446920] do_syscall_64+0x37/0x90 [ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd This patch fixes this issue by getting vq from vblk, and removes virtblk_init_hctx().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2b54e14535bc34bf649372060d518ec9f2b893b3
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8d12ec10292877751ee4463b11a63bd850bc09b5
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Avoid use-after-free on suspend/resume\n\nhctx-\u003euser_data is set to vq in virtblk_init_hctx().  However, vq is\nfreed on suspend and reallocated on resume.  So, hctx-\u003euser_data is\ninvalid after resume, and it will cause use-after-free accessing which\nwill result in the kernel crash something like below:\n\n[   22.428391] Call Trace:\n[   22.428899]  \u003cTASK\u003e\n[   22.429339]  virtqueue_add_split+0x3eb/0x620\n[   22.430035]  ? __blk_mq_alloc_requests+0x17f/0x2d0\n[   22.430789]  ? kvm_clock_get_cycles+0x14/0x30\n[   22.431496]  virtqueue_add_sgs+0xad/0xd0\n[   22.432108]  virtblk_add_req+0xe8/0x150\n[   22.432692]  virtio_queue_rqs+0xeb/0x210\n[   22.433330]  blk_mq_flush_plug_list+0x1b8/0x280\n[   22.434059]  __blk_flush_plug+0xe1/0x140\n[   22.434853]  blk_finish_plug+0x20/0x40\n[   22.435512]  read_pages+0x20a/0x2e0\n[   22.436063]  ? folio_add_lru+0x62/0xa0\n[   22.436652]  page_cache_ra_unbounded+0x112/0x160\n[   22.437365]  filemap_get_pages+0xe1/0x5b0\n[   22.437964]  ? context_to_sid+0x70/0x100\n[   22.438580]  ? sidtab_context_to_sid+0x32/0x400\n[   22.439979]  filemap_read+0xcd/0x3d0\n[   22.440917]  xfs_file_buffered_read+0x4a/0xc0\n[   22.441984]  xfs_file_read_iter+0x65/0xd0\n[   22.442970]  __kernel_read+0x160/0x2e0\n[   22.443921]  bprm_execve+0x21b/0x640\n[   22.444809]  do_execveat_common.isra.0+0x1a8/0x220\n[   22.446008]  __x64_sys_execve+0x2d/0x40\n[   22.446920]  do_syscall_64+0x37/0x90\n[   22.447773]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by getting vq from vblk, and removes\nvirtblk_init_hctx()."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio-blk: Evita el Use-After-Free al suspender/reanudar. hctx-\u0026gt;user_data est\u00e1 configurado como vq en virtblk_init_hctx(). Sin embargo, vq se libera al suspender y se reasigna al reanudar. Por lo tanto, hctx-\u0026gt;user_data no es v\u00e1lido despu\u00e9s de reanudar y provocar\u00e1 el acceso despu\u00e9s de la liberaci\u00f3n, lo que provocar\u00e1 un fallo del kernel similar al siguiente: [ 22.428391] Seguimiento de llamadas: [ 22.428899]  [ 22.429339] virtqueue_add_split+0x3eb/0x620 [ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0 [ 22.430789] ? kvm_clock_get_cycles+0x14/0x30 [ 22.431496] virtqueue_add_sgs+0xad/0xd0 [ 22.432108] virtblk_add_req+0xe8/0x150 [ 22.432692] virtio_queue_rqs+0xeb/0x210 [ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280 [ 22.434059] __blk_flush_plug+0xe1/0x140 [ 22.434853] blk_finish_plug+0x20/0x40 [ 22.435512] read_pages+0x20a/0x2e0 [ 22.436063] ? folio_add_lru+0x62/0xa0 [ 22.436652] page_cache_ra_unbounded+0x112/0x160 [ 22.437365] filemap_get_pages+0xe1/0x5b0 [ 22.437964] ? context_to_sid+0x70/0x100 [ 22.438580] ? sidtab_context_to_sid+0x32/0x400 [ 22.439979] filemap_read+0xcd/0x3d0 [ 22.440917] xfs_file_buffered_read+0x4a/0xc0 [ 22.441984] xfs_file_read_iter+0x65/0xd0 [ 22.442970] __kernel_read+0x160/0x2e0 [ 22.443921] bprm_execve+0x21b/0x640 [ 22.444809] do_execveat_common.isra.0+0x1a8/0x220 [ 22.446008] __x64_sys_execve+0x2d/0x40 [ 22.446920] do_syscall_64+0x37/0x90 [ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd Este parche corrige este problema obteniendo vq de vblk y elimina virtblk_init_hctx()."
    }
  ],
  "id": "CVE-2022-50064",
  "lastModified": "2025-06-18T13:47:40.833",
  "metrics": {},
  "published": "2025-06-18T11:15:35.157",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2b54e14535bc34bf649372060d518ec9f2b893b3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8d12ec10292877751ee4463b11a63bd850bc09b5"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.