CVE-2022-48937

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48937
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48937.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48937
Downstream
Related
Published
2024-08-22T03:31:32Z
Modified
2025-10-21T08:49:24.312603Z
Summary
io_uring: add a schedule point in io_add_buffers()
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring: add a schedule point in ioadd_buffers()

Looping ~65535 times doing kmalloc() calls can trigger soft lockups, especially with DEBUG features (like KASAN).

[ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575] [ 253.544433] Modules linked in: vfat fat i2cmuxpca954x i2cmux spidev cdcacm xhcipci xhcihcd sha3generic gq(O) [ 253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S O 5.17.0-smp-DEV #801 [ 253.544457] RIP: 0010:kerneltextaddress (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98) [ 253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40 [ 253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246 [ 253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001 [ 253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a [ 253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004 [ 253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380 [ 253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0 [ 253.544483] FS: 00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000 [ 253.544486] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0 [ 253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 253.544494] Call Trace: [ 253.544496] <TASK> [ 253.544498] ? ioqueuesqe (fs/iouring.c:7143) [ 253.544505] kerneltextaddress (kernel/extable.c:78) [ 253.544508] unwindgetreturnaddress (arch/x86/kernel/unwindframe.c:19) [ 253.544514] archstackwalk (arch/x86/kernel/stacktrace.c:27) [ 253.544517] ? ioqueuesqe (fs/iouring.c:7143) [ 253.544521] stacktracesave (kernel/stacktrace.c:123) [ 253.544527] _kasankmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544531] ? __kasankmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515) [ 253.544533] ? _kasankmalloc (mm/kasan/common.c:524) [ 253.544535] ? kmemcachealloctrace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544541] ? ioissuesqe (fs/iouring.c:4556 fs/iouring.c:4589 fs/iouring.c:6828) [ 253.544544] ? _ioqueuesqe (fs/iouring.c:?) [ 253.544551] _kasankmalloc (mm/kasan/common.c:524) [ 253.544553] kmemcachealloctrace (./include/linux/kasan.h:270 mm/slab.c:3567) [ 253.544556] ? ioissuesqe (fs/iouring.c:4556 fs/iouring.c:4589 fs/iouring.c:6828) [ 253.544560] ioissuesqe (fs/iouring.c:4556 fs/iouring.c:4589 fs/iouring.c:6828) [ 253.544564] ? _kasanslaballoc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544567] ? _kasanslaballoc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 253.544569] ? kmemcacheallocbulk (mm/slab.h:732 mm/slab.c:3546) [ 253.544573] ? _ioallocreqrefill (fs/iouring.c:2078) [ 253.544578] ? iosubmitsqes (fs/iouring.c:7441) [ 253.544581] ? _sesysiouringenter (fs/iouring.c:10154 fs/iouring.c:10096) [ 253.544584] ? _x64sysiouringenter (fs/iouring.c:10096) [ 253.544587] ? dosyscall64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 253.544590] ? entrySYSCALL64afterhwframe (??:?) [ 253.544596] _ioqueuesqe (fs/iouring.c:?) [ 253.544600] ioqueuesqe (fs/iouring.c:7143) [ 253.544603] iosubmitsqe (fs/iouring.c:?) [ 253.544608] iosubmitsqes (fs/iouring.c:?) [ 253.544612] _sesysiouringenter (fs/iouring.c:10154 fs/io_uri ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ddf0322db79c5984dc1a1db890f946dd19b7d6d9
Fixed
4a93c6594613c3429b6f30136fff115c7f803af4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ddf0322db79c5984dc1a1db890f946dd19b7d6d9
Fixed
c718ea4e7382e18957ed0e88a5f855e2122d9c00
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ddf0322db79c5984dc1a1db890f946dd19b7d6d9
Fixed
8f3cc3c5bc43d03b5748ac4fb8d180084952c36a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ddf0322db79c5984dc1a1db890f946dd19b7d6d9
Fixed
f240762f88b4b1b58561939ffd44837759756477

Affected versions

v5.*

v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.6
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-48937-4556729c",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "91414922481144785508058024071946224600",
                "43850529659078421102375708707890976706",
                "119499308934452224175524020346763596347",
                "30046551102071320695937368941536424407"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c718ea4e7382e18957ed0e88a5f855e2122d9c00",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-48937-463d0961",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "91414922481144785508058024071946224600",
                "43850529659078421102375708707890976706",
                "119499308934452224175524020346763596347",
                "30046551102071320695937368941536424407"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f240762f88b4b1b58561939ffd44837759756477",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-48937-4692b27e",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "91414922481144785508058024071946224600",
                "43850529659078421102375708707890976706",
                "119499308934452224175524020346763596347",
                "30046551102071320695937368941536424407"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a93c6594613c3429b6f30136fff115c7f803af4",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-48937-56baeee4",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 558.0,
            "function_hash": "1685294118113995025108158744621044187"
        },
        "target": {
            "function": "io_add_buffers",
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c718ea4e7382e18957ed0e88a5f855e2122d9c00",
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-48937-a7459eea",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "91414922481144785508058024071946224600",
                "43850529659078421102375708707890976706",
                "119499308934452224175524020346763596347",
                "30046551102071320695937368941536424407"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f3cc3c5bc43d03b5748ac4fb8d180084952c36a",
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-48937-aaac3479",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 558.0,
            "function_hash": "1685294118113995025108158744621044187"
        },
        "target": {
            "function": "io_add_buffers",
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a93c6594613c3429b6f30136fff115c7f803af4",
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-48937-b0fa470a",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 558.0,
            "function_hash": "1685294118113995025108158744621044187"
        },
        "target": {
            "function": "io_add_buffers",
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f3cc3c5bc43d03b5748ac4fb8d180084952c36a",
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-48937-ee87d6d4",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 558.0,
            "function_hash": "1685294118113995025108158744621044187"
        },
        "target": {
            "function": "io_add_buffers",
            "file": "fs/io_uring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f240762f88b4b1b58561939ffd44837759756477",
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.10.103
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.26
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.12