CVE-2022-49179
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49179
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49179.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49179
- Downstream
- Related
- Published
- 2025-02-26T01:55:32Z
- Modified
- 2025-10-21T09:56:53.139285Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- block, bfq: don't move oom_bfqq
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: don't move oom_bfqq
Our test report a UAF:
[ 2073.019181] ================================================================== [ 2073.019188] BUG: KASAN: use-after-free in _bfqputasyncbfqq+0xa0/0x168 [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5 [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Call trace: [ 2073.019203] dumpbacktrace+0x0/0x310 [ 2073.019206] showstack+0x28/0x38 [ 2073.019210] dumpstack+0xec/0x15c [ 2073.019216] printaddressdescription+0x68/0x2d0 [ 2073.019220] kasanreport+0x238/0x2f0 [ 2073.019224] _asanstore8+0x88/0xb0 [ 2073.019229] _bfqputasyncbfqq+0xa0/0x168 [ 2073.019233] bfqputasyncqueues+0xbc/0x208 [ 2073.019236] bfqpdoffline+0x178/0x238 [ 2073.019240] blkcgdeactivatepolicy+0x1f0/0x420 [ 2073.019244] bfqexitqueue+0x128/0x178 [ 2073.019249] blkmqexitsched+0x12c/0x160 [ 2073.019252] elevatorexit+0xc8/0xd0 [ 2073.019256] blkexitqueue+0x50/0x88 [ 2073.019259] blkcleanupqueue+0x228/0x3d8 [ 2073.019267] nulldeldev+0xfc/0x1e0 [nullblk] [ 2073.019274] nullexit+0x90/0x114 [nullblk] [ 2073.019278] _arm64sysdeletemodule+0x358/0x5a0 [ 2073.019282] el0svccommon+0xc8/0x320 [ 2073.019287] el0svchandler+0xf8/0x160 [ 2073.019290] el0svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Allocated by task 14163: [ 2073.019301] kasankmalloc+0xe0/0x190 [ 2073.019305] kmemcacheallocnodetrace+0x1cc/0x418 [ 2073.019308] bfqpdalloc+0x54/0x118 [ 2073.019313] blkcgactivatepolicy+0x250/0x460 [ 2073.019317] bfqcreategrouphierarchy+0x38/0x110 [ 2073.019321] bfqinitqueue+0x6d0/0x948 [ 2073.019325] blkmqinitsched+0x1d8/0x390 [ 2073.019330] elevatorswitchmq+0x88/0x170 [ 2073.019334] elevatorswitch+0x140/0x270 [ 2073.019338] elvioschedstore+0x1a4/0x2a0 [ 2073.019342] queueattrstore+0x90/0xe0 [ 2073.019348] sysfskfwrite+0xa8/0xe8 [ 2073.019351] kernfsfopwrite+0x1f8/0x378 [ 2073.019359] _vfswrite+0xe0/0x360 [ 2073.019363] vfswrite+0xf0/0x270 [ 2073.019367] ksyswrite+0xdc/0x1b8 [ 2073.019371] _arm64syswrite+0x50/0x60 [ 2073.019375] el0svccommon+0xc8/0x320 [ 2073.019380] el0svchandler+0xf8/0x160 [ 2073.019383] el0svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Freed by task 72584: [ 2073.019391] _kasanslabfree+0x120/0x228 [ 2073.019394] kasanslabfree+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqgput+0x64/0xb0 [ 2073.019404] bfqgandblkgput+0x90/0xb0 [ 2073.019408] bfqputqueue+0x220/0x228 [ 2073.019413] _bfqputasyncbfqq+0x98/0x168 [ 2073.019416] bfqputasyncqueues+0xbc/0x208 [ 2073.019420] bfqpdoffline+0x178/0x238 [ 2073.019424] blkcgdeactivatepolicy+0x1f0/0x420 [ 2073.019429] bfqexitqueue+0x128/0x178 [ 2073.019433] blkmqexitsched+0x12c/0x160 [ 2073.019437] elevatorexit+0xc8/0xd0 [ 2073.019440] blkexitqueue+0x50/0x88 [ 2073.019443] blkcleanupqueue+0x228/0x3d8 [ 2073.019451] nulldeldev+0xfc/0x1e0 [nullblk] [ 2073.019459] nullexit+0x90/0x114 [nullblk] [ 2073.019462] _arm64sysdeletemodule+0x358/0x5a0 [ 2073.019467] el0svccommon+0xc8/0x320 [ 2073.019471] el0svchandler+0xf8/0x160 [ 2073.019474] el0svc+0x10/0x218 [ 2073.019475] [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00 which belongs to the cache kmalloc-1024 of size 1024 [ 2073.019484] The buggy address is located 552 bytes inside of 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] The buggy address belongs to the page: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compoundmapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] ra ---truncated---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/7507ead1e9d42957c2340f2c4a0e9d00034e3366
- https://git.kernel.org/stable/c/8410f70977734f21b8ed45c37e925d311dfda2e7
- https://git.kernel.org/stable/c/87fdfe8589d43e471dffb4c60f75eeb6f37afc4c
- https://git.kernel.org/stable/c/8f34dea99cd7761156a146a5258a67d045d862f7
- https://git.kernel.org/stable/c/c01fced8d38fbccc82787065229578006f28e020
- https://git.kernel.org/stable/c/c4f5a678add58a8a0e7ee5e038496b376ea6d205
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaee69d78dec0ffdf82e35d57c626e80dddc314d5Fixedc4f5a678add58a8a0e7ee5e038496b376ea6d205
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaee69d78dec0ffdf82e35d57c626e80dddc314d5Fixed7507ead1e9d42957c2340f2c4a0e9d00034e3366
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaee69d78dec0ffdf82e35d57c626e80dddc314d5Fixed8f34dea99cd7761156a146a5258a67d045d862f7
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaee69d78dec0ffdf82e35d57c626e80dddc314d5Fixed87fdfe8589d43e471dffb4c60f75eeb6f37afc4c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaee69d78dec0ffdf82e35d57c626e80dddc314d5Fixedc01fced8d38fbccc82787065229578006f28e020
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaee69d78dec0ffdf82e35d57c626e80dddc314d5Fixed8410f70977734f21b8ed45c37e925d311dfda2e7
Affected versions
v4.*
v5.*
Database specific
vanir_signatures
[
{
"id": "CVE-2022-49179-138051a4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f34dea99cd7761156a146a5258a67d045d862f7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"258293234817438615958034132049092128645",
"243302782400650908082222312861875747655",
"171081202525742545212760899384489413552"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-31018c88",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7507ead1e9d42957c2340f2c4a0e9d00034e3366",
"signature_version": "v1",
"digest": {
"length": 759.0,
"function_hash": "39572329601877830654374651510187009620"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "bfq_bfqq_move",
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-40f401cc",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8410f70977734f21b8ed45c37e925d311dfda2e7",
"signature_version": "v1",
"digest": {
"line_hashes": [
"98442840712461048870943372119413895459",
"247599214805210389750646669840490771856",
"87512353771138249048622323167911402427"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-5fc32019",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8410f70977734f21b8ed45c37e925d311dfda2e7",
"signature_version": "v1",
"digest": {
"length": 1004.0,
"function_hash": "295470853700841427534896064717428767645"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "bfq_bfqq_move",
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-99c79b62",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c01fced8d38fbccc82787065229578006f28e020",
"signature_version": "v1",
"digest": {
"length": 955.0,
"function_hash": "141160278709355288527311193773724061296"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "bfq_bfqq_move",
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-9f3934f4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c01fced8d38fbccc82787065229578006f28e020",
"signature_version": "v1",
"digest": {
"line_hashes": [
"258293234817438615958034132049092128645",
"243302782400650908082222312861875747655",
"171081202525742545212760899384489413552"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-b53a0005",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7507ead1e9d42957c2340f2c4a0e9d00034e3366",
"signature_version": "v1",
"digest": {
"line_hashes": [
"258293234817438615958034132049092128645",
"243302782400650908082222312861875747655",
"171081202525742545212760899384489413552"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-bc7c8ddd",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87fdfe8589d43e471dffb4c60f75eeb6f37afc4c",
"signature_version": "v1",
"digest": {
"line_hashes": [
"258293234817438615958034132049092128645",
"243302782400650908082222312861875747655",
"171081202525742545212760899384489413552"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-c5ede397",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87fdfe8589d43e471dffb4c60f75eeb6f37afc4c",
"signature_version": "v1",
"digest": {
"length": 955.0,
"function_hash": "141160278709355288527311193773724061296"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "bfq_bfqq_move",
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-cc79dfc1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f34dea99cd7761156a146a5258a67d045d862f7",
"signature_version": "v1",
"digest": {
"length": 955.0,
"function_hash": "141160278709355288527311193773724061296"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "bfq_bfqq_move",
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-d087e384",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c4f5a678add58a8a0e7ee5e038496b376ea6d205",
"signature_version": "v1",
"digest": {
"length": 748.0,
"function_hash": "205269112326495827951382529715643025599"
},
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "bfq_bfqq_move",
"file": "block/bfq-cgroup.c"
}
},
{
"id": "CVE-2022-49179-e207899a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c4f5a678add58a8a0e7ee5e038496b376ea6d205",
"signature_version": "v1",
"digest": {
"line_hashes": [
"258293234817438615958034132049092128645",
"243302782400650908082222312861875747655",
"171081202525742545212760899384489413552"
],
"threshold": 0.9
},
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "block/bfq-cgroup.c"
}
}
]