ghsa-fjrf-m4f9-hh77
Vulnerability from github
Published
2025-04-14 21:32
Modified
2025-04-14 21:32
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

nbd: fix race between nbd_alloc_config() and module removal

When nbd module is being removing, nbd_alloc_config() may be called concurrently by nbd_genl_connect(), although try_module_get() will return false, but nbd_alloc_config() doesn't handle it.

The race may lead to the leak of nbd_config and its related resources (e.g, recv_workq) and oops in nbd_read_stat() due to the unload of nbd module as shown below:

BUG: kernel NULL pointer dereference, address: 0000000000000040 Oops: 0000 [#1] SMP PTI CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: knbd16-recv recv_work [nbd] RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd] Call Trace: recv_work+0x3b/0xb0 [nbd] process_one_work+0x1ed/0x390 worker_thread+0x4a/0x3d0 kthread+0x12a/0x150 ret_from_fork+0x22/0x30

Fixing it by checking the return value of try_module_get() in nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV), assign nbd->config only when nbd_alloc_config() succeeds to ensure the value of nbd->config is binary (valid or NULL).

Also adding a debug message to check the reference counter of nbd_config during module removal.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix race between nbd_alloc_config() and module removal\n\nWhen nbd module is being removing, nbd_alloc_config() may be\ncalled concurrently by nbd_genl_connect(), although try_module_get()\nwill return false, but nbd_alloc_config() doesn\u0027t handle it.\n\nThe race may lead to the leak of nbd_config and its related\nresources (e.g, recv_workq) and oops in nbd_read_stat() due\nto the unload of nbd module as shown below:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000040\n  Oops: 0000 [#1] SMP PTI\n  CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n  Workqueue: knbd16-recv recv_work [nbd]\n  RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd]\n  Call Trace:\n   recv_work+0x3b/0xb0 [nbd]\n   process_one_work+0x1ed/0x390\n   worker_thread+0x4a/0x3d0\n   kthread+0x12a/0x150\n   ret_from_fork+0x22/0x30\n\nFixing it by checking the return value of try_module_get()\nin nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV),\nassign nbd-\u003econfig only when nbd_alloc_config() succeeds to ensure\nthe value of nbd-\u003econfig is binary (valid or NULL).\n\nAlso adding a debug message to check the reference counter\nof nbd_config during module removal.",
  "id": "GHSA-fjrf-m4f9-hh77",
  "modified": "2025-04-14T21:32:21Z",
  "published": "2025-04-14T21:32:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49300"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/122e4adaff2439f1cc18cc7e931980fa7560df5c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/165cf2e0019fa6cedc75b456490c41494c34abb4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2573f2375b64280be977431701ed5d33b75b9ad0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2888fa41985f93ed0a6837cfbb06bcbfd7fa2314"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71c142f910da44421213ade601bcbd23ceae19fa"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8a7da4ced236ce6637fe70f14ca18e718d4bf9e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c55b2b983b0fa012942c3eb16384b2b722caa810"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d09525720dd5201756f698bee1076de9aefd4602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.