CVE-2022-50295

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50295
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50295.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50295
Downstream
Published
2025-09-15T14:45:51Z
Modified
2025-10-21T12:19:13.168954Z
Summary
io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring/msgring: Fix NULL pointer dereference in iomsgsend_fd()

Syzkaller produced the below call trace:

BUG: KASAN: null-ptr-deref in iomsgring+0x3cb/0x9f0 Write of size 8 at addr 0000000000000070 by task repro/16399

CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 Call Trace: <TASK> dumpstacklvl+0xcd/0x134 ? iomsgring+0x3cb/0x9f0 kasanreport+0xbc/0xf0 ? iomsgring+0x3cb/0x9f0 kasancheckrange+0x140/0x190 iomsgring+0x3cb/0x9f0 ? iomsgringprep+0x300/0x300 ioissuesqe+0x698/0xca0 iosubmitsqes+0x92f/0x1c30 _dosysiouringenter+0xae4/0x24b0 .... RIP: 0033:0x7f2eaf8f8289 RSP: 002b:00007fff40939718 EFLAGS: 00000246 ORIGRAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2eaf8f8289 RDX: 0000000000000000 RSI: 0000000000006f71 RDI: 0000000000000004 RBP: 00007fff409397a0 R08: 0000000000000000 R09: 0000000000000039 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004006d0 R13: 00007fff40939880 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: paniconwarn set ...

We don't have a NULL check on fileptr in iomsgsendfd() function, so when fileptr is NUL srcfile is also NULL and get_file() dereferences a NULL pointer and leads to above crash.

Add a NULL check to fix this issue.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e6130eba8a848a7a6ba6c534bd8f6d60749ae1a9
Fixed
0163e04ea64cc3dfaa12390286e5f2f481c3b2e3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e6130eba8a848a7a6ba6c534bd8f6d60749ae1a9
Fixed
16bbdfe5fb0e78e0acb13e45fc127e9a296913f2

Affected versions

v5.*

v5.19

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.1-rc1

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "33505026862275651016827314551995873019",
                "176513027006082059947053404687412061940",
                "255939655229882825604717013206773379550",
                "293315026438037656369254305177147760991"
            ]
        },
        "target": {
            "file": "io_uring/msg_ring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0163e04ea64cc3dfaa12390286e5f2f481c3b2e3",
        "id": "CVE-2022-50295-1b7394e8",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "5036467431774234922984238218527704101",
            "length": 964.0
        },
        "target": {
            "file": "io_uring/msg_ring.c",
            "function": "io_msg_send_fd"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0163e04ea64cc3dfaa12390286e5f2f481c3b2e3",
        "id": "CVE-2022-50295-4f1767be",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "5036467431774234922984238218527704101",
            "length": 964.0
        },
        "target": {
            "file": "io_uring/msg_ring.c",
            "function": "io_msg_send_fd"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16bbdfe5fb0e78e0acb13e45fc127e9a296913f2",
        "id": "CVE-2022-50295-7c58beb5",
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "33505026862275651016827314551995873019",
                "176513027006082059947053404687412061940",
                "255939655229882825604717013206773379550",
                "293315026438037656369254305177147760991"
            ]
        },
        "target": {
            "file": "io_uring/msg_ring.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16bbdfe5fb0e78e0acb13e45fc127e9a296913f2",
        "id": "CVE-2022-50295-acd93753",
        "deprecated": false,
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.6