| ID |
CVE-2022-49270
|
| Sažetak |
In the Linux kernel, the following vulnerability has been resolved:
dm: fix use-after-free in dm_cleanup_zoned_dev()
dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:
blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
Otherwise, RCU callback may be executed first and
dm_cleanup_zoned_dev() will touch free'd memory:
BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0+0x1f/0x150
? dm_cleanup_zoned_dev+0x33/0xd0
kasan_report.cold+0x7f/0x11b
? dm_cleanup_zoned_dev+0x33/0xd0
dm_cleanup_zoned_dev+0x33/0xd0
__dm_destroy+0x26a/0x400
? dm_blk_ioctl+0x230/0x230
? up_write+0xd8/0x270
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
? table_clear+0x140/0x140
? lock_release+0xb2/0x750
? remove_all+0x40/0x40
? rcu_read_lock_sched_held+0x12/0x70
? lock_downgrade+0x3c0/0x3c0
? rcu_read_lock_sched_held+0x12/0x70
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb6dfa95c27 |
| Reference |
|
| CVSS |
| Base: | 7.8 |
| Impact: | 5.9 |
| Exploitability: | 1.8 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| LOCAL |
LOW |
LOW |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| HIGH |
HIGH |
HIGH |
|
| CVSS vektor |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Zadnje važnije ažuriranje |
25-03-2025 - 15:23 |
| Objavljeno |
26-02-2025 - 07:01 |
