CVE-2022-50329

Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") will access 'bic->bfqq' in bicsetbfqq(), however, bfqexiticqbfqq() can free bfqq first, and then call bicset_bfqq(), which will cause uaf.

Fix the problem by moving bfqexitbfqq() behind bicsetbfqq().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a

Fixed

1425f1bb5df5239021fd09ebc2a5e8070e705d36

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

094f3d9314d67691cb21ba091c1b528f6e3c4893

Fixed

7949b0df3dd9f4817ed4a4e989fa9ee81df6205f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b22fd72bfebda3956efc4431b60ddfc0a51e03e0

Fixed

cfe5b38c37720313eff0dec5517442c7ab3c9a20

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

761564d93c8265f65543acf0a576b32d66bfa26a

Fixed

1ed959fef5b1c6f1a7a3fbea543698c30ebd6678

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

64dc8c732f5c2b406cc752e6aaa1bd5471159cab

Fixed

246cf66e300b76099b5dbd3fdd39e9a5dbc53f02

Affected versions

v5.*

v5.15.86

v6.*

v6.0.16

v6.1.2

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "264925483130729804988661743719821444216",
                "276934674898010721540910938740930637515",
                "171363601504248423864369642120041351394",
                "284894497607264516466241581172835541067",
                "33674535368786234788998284944232476022"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-50329-39d83c4d",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1ed959fef5b1c6f1a7a3fbea543698c30ebd6678",
        "signature_type": "Line",
        "target": {
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "50031814096427565455412696443263302897",
            "length": 318.0
        },
        "id": "CVE-2022-50329-48d4a9ef",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cfe5b38c37720313eff0dec5517442c7ab3c9a20",
        "signature_type": "Function",
        "target": {
            "function": "bfq_exit_icq_bfqq",
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "50031814096427565455412696443263302897",
            "length": 318.0
        },
        "id": "CVE-2022-50329-4d3b2610",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@246cf66e300b76099b5dbd3fdd39e9a5dbc53f02",
        "signature_type": "Function",
        "target": {
            "function": "bfq_exit_icq_bfqq",
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "264925483130729804988661743719821444216",
                "276934674898010721540910938740930637515",
                "171363601504248423864369642120041351394",
                "284894497607264516466241581172835541067",
                "33674535368786234788998284944232476022"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-50329-84b4c0e3",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7949b0df3dd9f4817ed4a4e989fa9ee81df6205f",
        "signature_type": "Line",
        "target": {
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "50031814096427565455412696443263302897",
            "length": 318.0
        },
        "id": "CVE-2022-50329-8e046f84",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1ed959fef5b1c6f1a7a3fbea543698c30ebd6678",
        "signature_type": "Function",
        "target": {
            "function": "bfq_exit_icq_bfqq",
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "264925483130729804988661743719821444216",
                "276934674898010721540910938740930637515",
                "171363601504248423864369642120041351394",
                "284894497607264516466241581172835541067",
                "33674535368786234788998284944232476022"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-50329-9fb82598",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cfe5b38c37720313eff0dec5517442c7ab3c9a20",
        "signature_type": "Line",
        "target": {
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "264925483130729804988661743719821444216",
                "276934674898010721540910938740930637515",
                "171363601504248423864369642120041351394",
                "284894497607264516466241581172835541067",
                "33674535368786234788998284944232476022"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-50329-ab561a6e",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1425f1bb5df5239021fd09ebc2a5e8070e705d36",
        "signature_type": "Line",
        "target": {
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "50031814096427565455412696443263302897",
            "length": 318.0
        },
        "id": "CVE-2022-50329-be9b84ac",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7949b0df3dd9f4817ed4a4e989fa9ee81df6205f",
        "signature_type": "Function",
        "target": {
            "function": "bfq_exit_icq_bfqq",
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "264925483130729804988661743719821444216",
                "276934674898010721540910938740930637515",
                "171363601504248423864369642120041351394",
                "284894497607264516466241581172835541067",
                "33674535368786234788998284944232476022"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-50329-daee2de5",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@246cf66e300b76099b5dbd3fdd39e9a5dbc53f02",
        "signature_type": "Line",
        "target": {
            "file": "block/bfq-iosched.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "50031814096427565455412696443263302897",
            "length": 318.0
        },
        "id": "CVE-2022-50329-ea5e6716",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1425f1bb5df5239021fd09ebc2a5e8070e705d36",
        "signature_type": "Function",
        "target": {
            "function": "bfq_exit_icq_bfqq",
            "file": "block/bfq-iosched.c"
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.86

Fixed

5.15.87

Type: ECOSYSTEM
Events: Introduced

6.0.16

Fixed

6.0.17

Type: ECOSYSTEM
Events: Introduced

6.1.2

Fixed

6.1.3