CVE-2022-49321

EUVD-2022-54906

26.02.2025, 07:01

In the Linux kernel, the following vulnerability has been resolved:

xprtrdma: treat all calls not a bcall when bc_serv is NULL

When a rdma server returns a fault format reply, nfs v3 client may
treats it as a bcall when bc service is not exist.

The debug message at rpcrdma_bc_receive_call are,

[56579.837169] RPC:       rpcrdma_bc_receive_call: callback XID
00000001, length=20
[56579.837174] RPC:       rpcrdma_bc_receive_call: 00 00 00 01 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 04

After that, rpcrdma_bc_receive_call will meets NULL pointer as,

[  226.057890] BUG: unable to handle kernel NULL pointer dereference at
00000000000000c8
...
[  226.058704] RIP: 0010:_raw_spin_lock+0xc/0x20
...
[  226.059732] Call Trace:
[  226.059878]  rpcrdma_bc_receive_call+0x138/0x327 [rpcrdma]
[  226.060011]  __ib_process_cq+0x89/0x170 [ib_core]
[  226.060092]  ib_cq_poll_work+0x26/0x80 [ib_core]
[  226.060257]  process_one_work+0x1a7/0x360
[  226.060367]  ? create_worker+0x1a0/0x1a0
[  226.060440]  worker_thread+0x30/0x390
[  226.060500]  ? create_worker+0x1a0/0x1a0
[  226.060574]  kthread+0x116/0x130
[  226.060661]  ? kthread_flush_work_fn+0x10/0x10
[  226.060724]  ret_from_fork+0x35/0x40
...

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	𝑥 < 4.14.283
linux	linux_kernel	4.15 ≤ 𝑥 < 4.19.247
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.198
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.122
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.47
linux	linux_kernel	5.16 ≤ 𝑥 < 5.17.15
linux	linux_kernel	5.18 ≤ 𝑥 < 5.18.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
sid	6.12.16-1 fixed
trixie	6.12.12-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

dlm-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

gfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-64kb

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default-base

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1.150300.18.120.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1.150400.24.78.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1.150500.6.47.1 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.255.1

fixed

kernel-docs

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-macros

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-obs-build

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-preempt

suse enterprise server 15 SP3

5.3.18-150300.59.201.1

fixed

kernel-source

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-syms

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

bpftool

RHEL 9

0:7.2.0-362.8.1.el9_3

fixed

kernel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-doc

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-kvm

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-kvm

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-tools

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-uki-virt

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

libperf

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

perf

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

python3-perf

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

rtla

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

RHEL 9

0:5.14.0-362.8.1.el9_3

fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/11270e7ca268e8d61b5d9e5c3a54bd1550642c9c

https://git.kernel.org/stable/c/8dbae5affbdbf524b48000f9d357925bb001e5f4

https://git.kernel.org/stable/c/8e3943c50764dc7c5f25911970c3ff062ec1f18c

https://git.kernel.org/stable/c/90c4f73104016748533a5707ecd15930fbeff402

https://git.kernel.org/stable/c/91784f3d77b73885e1b2e6b59d3cbf0de0a1126a

https://git.kernel.org/stable/c/998d35a2aff4b81a1c784f3aa45cd3afff6814c1

https://git.kernel.org/stable/c/a3fc8051ee061e31db13e2fe011e8e0b71a7f815

https://git.kernel.org/stable/c/da99331fa62131a38a0947a8204c5208de7b0454