CVE-2022-49412

EUVD-2022-54817

26.02.2025, 07:01

In the Linux kernel, the following vulnerability has been resolved:

bfq: Avoid merging queues with different parents

It can happen that the parent of a bfqq changes between the moment we
decide two queues are worth to merge (and set bic->stable_merge_bfqq)
and the moment bfq_setup_merge() is called. This can happen e.g. because
the process submitted IO for a different cgroup and thus bfqq got
reparented. It can even happen that the bfqq we are merging with has
parent cgroup that is already offline and going to be destroyed in which
case the merge can lead to use-after-free issues such as:

BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50
Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544

CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G            E     5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x46/0x5a
 print_address_description.constprop.0+0x1f/0x140
 ? __bfq_deactivate_entity+0x9cb/0xa50
 kasan_report.cold+0x7f/0x11b
 ? __bfq_deactivate_entity+0x9cb/0xa50
 __bfq_deactivate_entity+0x9cb/0xa50
 ? update_curr+0x32f/0x5d0
 bfq_deactivate_entity+0xa0/0x1d0
 bfq_del_bfqq_busy+0x28a/0x420
 ? resched_curr+0x116/0x1d0
 ? bfq_requeue_bfqq+0x70/0x70
 ? check_preempt_wakeup+0x52b/0xbc0
 __bfq_bfqq_expire+0x1a2/0x270
 bfq_bfqq_expire+0xd16/0x2160
 ? try_to_wake_up+0x4ee/0x1260
 ? bfq_end_wr_async_queues+0xe0/0xe0
 ? _raw_write_unlock_bh+0x60/0x60
 ? _raw_spin_lock_irq+0x81/0xe0
 bfq_idle_slice_timer+0x109/0x280
 ? bfq_dispatch_request+0x4870/0x4870
 __hrtimer_run_queues+0x37d/0x700
 ? enqueue_hrtimer+0x1b0/0x1b0
 ? kvm_clock_get_cycles+0xd/0x10
 ? ktime_get_update_offsets_now+0x6f/0x280
 hrtimer_interrupt+0x2c8/0x740

Fix the problem by checking that the parent of the two bfqqs we are
merging in bfq_setup_merge() is the same.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 33%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	𝑥 < 5.4.198
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.121
linux	linux_kernel	5.13 ≤ 𝑥 < 5.15.46
linux	linux_kernel	5.16 ≤ 𝑥 < 5.17.14
linux	linux_kernel	5.18 ≤ 𝑥 < 5.18.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.234-1 fixed
sid	6.12.16-1 fixed
trixie	6.12.12-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.100.1

fixed

dlm-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.100.1

fixed

gfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.100.1

fixed

kernel-64kb

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default-base

suse enterprise server 15 SP4	5.14.21-150400.24.158.1.150400.24.78.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1.150500.6.47.1 fixed

kernel-docs

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-macros

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-obs-build

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-source

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-syms

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

ocfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.100.1

fixed

reiserfs-kmp-default

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

bpftool

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-core

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-debug

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-debug-core

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-devel

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-doc

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-modules

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-tools

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

perf

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

python3-perf

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/5ee21edaed09e6b25f2c007b3f326752bc89bacf

https://git.kernel.org/stable/c/8abc8763b11c35e03cc91d59fd0cd28d39f88ca9

https://git.kernel.org/stable/c/a16c65cca7d2c7ff965fdd3adc8df2156529caf1

https://git.kernel.org/stable/c/c1cee4ab36acef271be9101590756ed0c0c374d9