CVE-2022-48847
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48847
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48847.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48847
- Downstream
- Related
- Published
- 2024-07-16T12:25:15Z
- Modified
- 2025-10-21T08:15:14.275305Z
- Summary
- watch_queue: Fix filter limit check
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Fix filter limit check
In watchqueuesetfilter(), there are a couple of places where we check that the filter type value does not exceed what the typefilter bitmap can hold. One place calculates the number of bits by:
if (tf[i].type >= sizeof(wfilter->type_filter) * 8)
which is fine, but the second does:
if (tf[i].type >= sizeof(wfilter->typefilter) * BITSPER_LONG)
which is not. This can lead to a couple of out-of-bounds writes due to a too-large type:
(1) _setbit() on wfilter->type_filter (2) Writing more elements in wfilter->filters[] than we allocated.
Fix this by just using the proper WATCHTYPE_NR instead, which is the number of types we actually know about.
The bug may cause an oops looking something like:
BUG: KASAN: slab-out-of-bounds in watchqueuesetfilter+0x659/0x740 Write of size 4 at addr ffff88800d2c66bc by task watchqueueoob/611 ... Call Trace: <TASK> dumpstacklvl+0x45/0x59 printaddressdescription.constprop.0+0x1f/0x150 ... kasanreport.cold+0x7f/0x11b ... watchqueuesetfilter+0x659/0x740 ... _x64sysioctl+0x127/0x190 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x44/0xae
Allocated by task 611: kasansavestack+0x1e/0x40 _kasankmalloc+0x81/0xa0 watchqueuesetfilter+0x23a/0x740 _x64sysioctl+0x127/0x190 dosyscall64+0x43/0x90 entrySYSCALL64afterhwframe+0x44/0xae
The buggy address belongs to the object at ffff88800d2c66a0 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 28 bytes inside of 32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1b09f28f70a5046acd64138075ae3f095238b045
- https://git.kernel.org/stable/c/648895da69ced90ca770fd941c3d9479a9d72c16
- https://git.kernel.org/stable/c/b36588ebbcef74583824c08352e75838d6fb4ff2
- https://git.kernel.org/stable/c/c993ee0f9f81caf5767a50d1faeba39a0dc82af2
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixed648895da69ced90ca770fd941c3d9479a9d72c16
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixed1b09f28f70a5046acd64138075ae3f095238b045
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixedb36588ebbcef74583824c08352e75838d6fb4ff2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc73be61cede5882f9605a852414db559c0ebedfdFixedc993ee0f9f81caf5767a50d1faeba39a0dc82af2
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.7
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"deprecated": false,
"id": "CVE-2022-48847-05c7cdfd",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c993ee0f9f81caf5767a50d1faeba39a0dc82af2",
"digest": {
"function_hash": "100681802253888243285185113804963894436",
"length": 1610.0
},
"target": {
"function": "watch_queue_set_filter",
"file": "kernel/watch_queue.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-2013713b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@648895da69ced90ca770fd941c3d9479a9d72c16",
"digest": {
"function_hash": "100681802253888243285185113804963894436",
"length": 1610.0
},
"target": {
"function": "watch_queue_set_filter",
"file": "kernel/watch_queue.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-229568df",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36588ebbcef74583824c08352e75838d6fb4ff2",
"digest": {
"threshold": 0.9,
"line_hashes": [
"137711575114100241341513004250176254588",
"4521193905409463404961056291118548270",
"61039842527287373786503834170963495775",
"83746915187150315936989793431489767026",
"179978502218311778361334427312765801980",
"90946958218134933078931379025821795496",
"315062337405339488667935056551045609560",
"69192450663966954410916912513811172184"
]
},
"target": {
"file": "kernel/watch_queue.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-3bf10863",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36588ebbcef74583824c08352e75838d6fb4ff2",
"digest": {
"function_hash": "100681802253888243285185113804963894436",
"length": 1610.0
},
"target": {
"function": "watch_queue_set_filter",
"file": "kernel/watch_queue.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-48bfbebf",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36588ebbcef74583824c08352e75838d6fb4ff2",
"digest": {
"threshold": 0.9,
"line_hashes": [
"220556643955273045540304130297866366277",
"218192974053790325717759735569621058111",
"235864538394265797283172213633001322753",
"156215045986280034587208338768586602994"
]
},
"target": {
"file": "include/linux/watch_queue.h"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-53ccc532",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b09f28f70a5046acd64138075ae3f095238b045",
"digest": {
"threshold": 0.9,
"line_hashes": [
"220556643955273045540304130297866366277",
"218192974053790325717759735569621058111",
"235864538394265797283172213633001322753",
"156215045986280034587208338768586602994"
]
},
"target": {
"file": "include/linux/watch_queue.h"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-561cab93",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c993ee0f9f81caf5767a50d1faeba39a0dc82af2",
"digest": {
"threshold": 0.9,
"line_hashes": [
"220556643955273045540304130297866366277",
"218192974053790325717759735569621058111",
"235864538394265797283172213633001322753",
"156215045986280034587208338768586602994"
]
},
"target": {
"file": "include/linux/watch_queue.h"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-ae1c0aa6",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@648895da69ced90ca770fd941c3d9479a9d72c16",
"digest": {
"threshold": 0.9,
"line_hashes": [
"137711575114100241341513004250176254588",
"4521193905409463404961056291118548270",
"61039842527287373786503834170963495775",
"83746915187150315936989793431489767026",
"179978502218311778361334427312765801980",
"90946958218134933078931379025821795496",
"315062337405339488667935056551045609560",
"69192450663966954410916912513811172184"
]
},
"target": {
"file": "kernel/watch_queue.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-afc98cad",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c993ee0f9f81caf5767a50d1faeba39a0dc82af2",
"digest": {
"threshold": 0.9,
"line_hashes": [
"137711575114100241341513004250176254588",
"4521193905409463404961056291118548270",
"61039842527287373786503834170963495775",
"83746915187150315936989793431489767026",
"179978502218311778361334427312765801980",
"90946958218134933078931379025821795496",
"315062337405339488667935056551045609560",
"69192450663966954410916912513811172184"
]
},
"target": {
"file": "kernel/watch_queue.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-cf2bc0f9",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b09f28f70a5046acd64138075ae3f095238b045",
"digest": {
"threshold": 0.9,
"line_hashes": [
"137711575114100241341513004250176254588",
"4521193905409463404961056291118548270",
"61039842527287373786503834170963495775",
"83746915187150315936989793431489767026",
"179978502218311778361334427312765801980",
"90946958218134933078931379025821795496",
"315062337405339488667935056551045609560",
"69192450663966954410916912513811172184"
]
},
"target": {
"file": "kernel/watch_queue.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-e4377e4f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b09f28f70a5046acd64138075ae3f095238b045",
"digest": {
"function_hash": "100681802253888243285185113804963894436",
"length": 1610.0
},
"target": {
"function": "watch_queue_set_filter",
"file": "kernel/watch_queue.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2022-48847-f836c21c",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@648895da69ced90ca770fd941c3d9479a9d72c16",
"digest": {
"threshold": 0.9,
"line_hashes": [
"220556643955273045540304130297866366277",
"218192974053790325717759735569621058111",
"235864538394265797283172213633001322753",
"156215045986280034587208338768586602994"
]
},
"target": {
"file": "include/linux/watch_queue.h"
},
"signature_type": "Line",
"signature_version": "v1"
}
]