CVE-2022-50295
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50295
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50295.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50295
- Downstream
- Published
- 2025-09-15T15:15:40Z
- Modified
- 2025-09-15T21:00:21Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
iouring/msgring: Fix NULL pointer dereference in iomsgsend_fd()
Syzkaller produced the below call trace:
BUG: KASAN: null-ptr-deref in iomsgring+0x3cb/0x9f0 Write of size 8 at addr 0000000000000070 by task repro/16399
CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 Call Trace: <TASK> dumpstacklvl+0xcd/0x134 ? iomsgring+0x3cb/0x9f0 kasanreport+0xbc/0xf0 ? iomsgring+0x3cb/0x9f0 kasancheckrange+0x140/0x190 iomsgring+0x3cb/0x9f0 ? iomsgringprep+0x300/0x300 ioissuesqe+0x698/0xca0 iosubmitsqes+0x92f/0x1c30 _dosysiouringenter+0xae4/0x24b0 .... RIP: 0033:0x7f2eaf8f8289 RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIGRAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289 RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004 RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0 R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: paniconwarn set ...
We don't have a NULL check on fileptr in iomsgsendfd() function, so when fileptr is NUL srcfile is also NULL and get_file() dereferences a NULL pointer and leads to above crash.
Add a NULL check to fix this issue.
- References