CVE-2022-48913
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48913
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48913.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48913
- Downstream
- Related
- Published
- 2024-08-22T01:31:34Z
- Modified
- 2025-10-08T06:57:38.563365Z
- Summary
- blktrace: fix use after free for struct blk_trace
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
blktrace: fix use after free for struct blk_trace
When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfsdir' and 'bt->dir' is NULL, thus blktrace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg':
================================================================== BUG: KASAN: use-after-free in blkdroppedread+0x89/0x100 Read of size 4 at addr ffff88816912f3d8 by task blktrace/1188
CPU: 27 PID: 1188 Comm: blktrace Not tainted 5.17.0-rc4-next-20220217+ #469 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727073836-4 Call Trace: <TASK> dumpstacklvl+0x34/0x44 printaddressdescription.constprop.0.cold+0xab/0x381 ? blkdroppedread+0x89/0x100 ? blkdroppedread+0x89/0x100 kasanreport.cold+0x83/0xdf ? blkdroppedread+0x89/0x100 kasancheckrange+0x140/0x1b0 blkdroppedread+0x89/0x100 ? blkcreatebuffilecallback+0x20/0x20 ? kmemcachefree+0xa1/0x500 ? dosysopenat2+0x258/0x460 fullproxyread+0x8f/0xc0 vfsread+0xc6/0x260 ksysread+0xb9/0x150 ? vfswrite+0x3d0/0x3d0 ? fpregsassertstateconsistent+0x55/0x60 ? exittousermodeprepare+0x39/0x1e0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7fbc080d92fd Code: ce 20 00 00 75 10 b8 00 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 1 RSP: 002b:00007fbb95ff9cb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fbb95ff9dc0 RCX: 00007fbc080d92fd RDX: 0000000000000100 RSI: 00007fbb95ff9cc0 RDI: 0000000000000045 RBP: 0000000000000045 R08: 0000000000406299 R09: 00000000fffffffd R10: 000000000153afa0 R11: 0000000000000293 R12: 00007fbb780008c0 R13: 00007fbb78000938 R14: 0000000000608b30 R15: 00007fbb780029c8 </TASK>
Allocated by task 1050: kasansavestack+0x1e/0x40 _kasankmalloc+0x81/0xa0 doblktracesetup+0xcb/0x410 _blktracesetup+0xac/0x130 blktraceioctl+0xe9/0x1c0 blkdevioctl+0xf1/0x390 _x64sysioctl+0xa5/0xe0 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x44/0xae
Freed by task 1050: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansetfreeinfo+0x20/0x30 _kasanslabfree+0x103/0x180 kfree+0x9a/0x4c0 _blktraceremove+0x53/0x70 blktraceioctl+0x199/0x1c0 blkdevcommonioctl+0x5e9/0xb30 blkdevioctl+0x1a5/0x390 _x64sysioctl+0xa5/0xe0 dosyscall64+0x35/0x80 entrySYSCALL64after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88816912f380 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff88816912f380, ffff88816912f3e0) The buggy address belongs to the page: page:000000009a1b4e7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0f flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0000200 ffffea00044f1100 dead000000000002 ffff88810004c780 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff88816912f280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88816912f300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88816912f380: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88816912f400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88816912f480: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc0ea57608b691d6cde8aff23e11f9858a86b5918Fixed78acc7dbd84a8c173a08584750845c31611160f2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc0ea57608b691d6cde8aff23e11f9858a86b5918Fixed6418634238ade86f2b08192928787f39d8afb58c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc0ea57608b691d6cde8aff23e11f9858a86b5918Fixed30939293262eb433c960c4532a0d59c4073b2b84
Affected versions
v5.*
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
Database specific
{
"vanir_signatures": [
{
"digest": {
"length": 251.0,
"function_hash": "300411304692663011586393048712093393020"
},
"id": "CVE-2022-48913-1cdd21a4",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "__blk_trace_remove",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6418634238ade86f2b08192928787f39d8afb58c"
},
{
"digest": {
"length": 1968.0,
"function_hash": "202516095294133631339835960672285991592"
},
"id": "CVE-2022-48913-2b0757ae",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "do_blk_trace_setup",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"digest": {
"length": 468.0,
"function_hash": "199477292591099748679755045914260702066"
},
"id": "CVE-2022-48913-2d97aa19",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_remove_queue",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"digest": {
"length": 1968.0,
"function_hash": "202516095294133631339835960672285991592"
},
"id": "CVE-2022-48913-31c4a26f",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "do_blk_trace_setup",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78acc7dbd84a8c173a08584750845c31611160f2"
},
{
"digest": {
"length": 94.0,
"function_hash": "180918027445862843720709667287240461914"
},
"id": "CVE-2022-48913-354cdb04",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_cleanup",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78acc7dbd84a8c173a08584750845c31611160f2"
},
{
"digest": {
"length": 1968.0,
"function_hash": "202516095294133631339835960672285991592"
},
"id": "CVE-2022-48913-50b048d3",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "do_blk_trace_setup",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6418634238ade86f2b08192928787f39d8afb58c"
},
{
"digest": {
"length": 251.0,
"function_hash": "300411304692663011586393048712093393020"
},
"id": "CVE-2022-48913-574f9138",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "__blk_trace_remove",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"digest": {
"line_hashes": [
"4349711951368064418538793495520715011",
"184315569691509287212496373274752988525",
"178954966893875998230739235118907377411",
"327392052840911374381198384286173767276",
"151042298482787626075590341110807698621",
"43250041096533275639393949420474280154",
"114011626677522851845889374277399408321",
"289714491547974423035965310112856550181",
"82791453778615986040240024098119691003",
"31265197102809255256170255707486446381",
"301797165752305448173063653258657781872",
"96286918777518969173151427848847493817",
"184772330804211141864584002322662966535",
"204519544803211474015259698562763037475",
"292084302483543614419594023400508590170",
"25526212694661764548880606885042802339",
"46815937873956701064985519042719654644",
"10621223477881139606880967191121670290",
"122117066181349167822968940219879004738",
"142257899650237764868749328909499136305",
"320218975542518725833576134492734543232",
"140835662006498593054606998361052673145",
"300975179366362073501111939519580633246",
"317286445518343711313330608606702190266",
"66485320460525017643800044902721625997",
"74242795657103713464540337119309388564",
"179771927714210733644049138451856520041",
"281136412898877065330869821941613734226",
"216984768159480820977908612420259737283",
"56263945476378887440228326169906297858"
],
"threshold": 0.9
},
"id": "CVE-2022-48913-5eb94348",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6418634238ade86f2b08192928787f39d8afb58c"
},
{
"digest": {
"length": 94.0,
"function_hash": "180918027445862843720709667287240461914"
},
"id": "CVE-2022-48913-6d4662fe",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_cleanup",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6418634238ade86f2b08192928787f39d8afb58c"
},
{
"digest": {
"length": 94.0,
"function_hash": "180918027445862843720709667287240461914"
},
"id": "CVE-2022-48913-6fad6aef",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_cleanup",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"digest": {
"length": 188.0,
"function_hash": "26668627048286942099484030125488627396"
},
"id": "CVE-2022-48913-8d08d3b9",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_free",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6418634238ade86f2b08192928787f39d8afb58c"
},
{
"digest": {
"length": 188.0,
"function_hash": "26668627048286942099484030125488627396"
},
"id": "CVE-2022-48913-9c472824",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_free",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78acc7dbd84a8c173a08584750845c31611160f2"
},
{
"digest": {
"length": 188.0,
"function_hash": "26668627048286942099484030125488627396"
},
"id": "CVE-2022-48913-a12d2fba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_free",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"digest": {
"length": 493.0,
"function_hash": "40783911325007518886738910447688508022"
},
"id": "CVE-2022-48913-a9834332",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_setup_queue",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"digest": {
"line_hashes": [
"4349711951368064418538793495520715011",
"184315569691509287212496373274752988525",
"178954966893875998230739235118907377411",
"327392052840911374381198384286173767276",
"151042298482787626075590341110807698621",
"43250041096533275639393949420474280154",
"114011626677522851845889374277399408321",
"289714491547974423035965310112856550181",
"82791453778615986040240024098119691003",
"31265197102809255256170255707486446381",
"301797165752305448173063653258657781872",
"96286918777518969173151427848847493817",
"184772330804211141864584002322662966535",
"204519544803211474015259698562763037475",
"292084302483543614419594023400508590170",
"25526212694661764548880606885042802339",
"46815937873956701064985519042719654644",
"10621223477881139606880967191121670290",
"122117066181349167822968940219879004738",
"142257899650237764868749328909499136305",
"320218975542518725833576134492734543232",
"140835662006498593054606998361052673145",
"300975179366362073501111939519580633246",
"317286445518343711313330608606702190266",
"66485320460525017643800044902721625997",
"74242795657103713464540337119309388564",
"179771927714210733644049138451856520041",
"281136412898877065330869821941613734226",
"216984768159480820977908612420259737283",
"56263945476378887440228326169906297858"
],
"threshold": 0.9
},
"id": "CVE-2022-48913-a9add4c7",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78acc7dbd84a8c173a08584750845c31611160f2"
},
{
"digest": {
"line_hashes": [
"4349711951368064418538793495520715011",
"184315569691509287212496373274752988525",
"178954966893875998230739235118907377411",
"327392052840911374381198384286173767276",
"151042298482787626075590341110807698621",
"43250041096533275639393949420474280154",
"114011626677522851845889374277399408321",
"289714491547974423035965310112856550181",
"82791453778615986040240024098119691003",
"31265197102809255256170255707486446381",
"301797165752305448173063653258657781872",
"96286918777518969173151427848847493817",
"184772330804211141864584002322662966535",
"204519544803211474015259698562763037475",
"292084302483543614419594023400508590170",
"25526212694661764548880606885042802339",
"46815937873956701064985519042719654644",
"10621223477881139606880967191121670290",
"122117066181349167822968940219879004738",
"142257899650237764868749328909499136305",
"320218975542518725833576134492734543232",
"140835662006498593054606998361052673145",
"300975179366362073501111939519580633246",
"317286445518343711313330608606702190266",
"66485320460525017643800044902721625997",
"74242795657103713464540337119309388564",
"179771927714210733644049138451856520041",
"281136412898877065330869821941613734226",
"216984768159480820977908612420259737283",
"56263945476378887440228326169906297858"
],
"threshold": 0.9
},
"id": "CVE-2022-48913-aea8cf1d",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@30939293262eb433c960c4532a0d59c4073b2b84"
},
{
"digest": {
"length": 251.0,
"function_hash": "300411304692663011586393048712093393020"
},
"id": "CVE-2022-48913-b0582625",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "__blk_trace_remove",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78acc7dbd84a8c173a08584750845c31611160f2"
},
{
"digest": {
"length": 468.0,
"function_hash": "199477292591099748679755045914260702066"
},
"id": "CVE-2022-48913-b81c7d10",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_remove_queue",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6418634238ade86f2b08192928787f39d8afb58c"
},
{
"digest": {
"length": 493.0,
"function_hash": "40783911325007518886738910447688508022"
},
"id": "CVE-2022-48913-c4383d31",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_setup_queue",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6418634238ade86f2b08192928787f39d8afb58c"
},
{
"digest": {
"length": 468.0,
"function_hash": "199477292591099748679755045914260702066"
},
"id": "CVE-2022-48913-d26c599f",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_remove_queue",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78acc7dbd84a8c173a08584750845c31611160f2"
},
{
"digest": {
"length": 493.0,
"function_hash": "40783911325007518886738910447688508022"
},
"id": "CVE-2022-48913-db078ff4",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "blk_trace_setup_queue",
"file": "kernel/trace/blktrace.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@78acc7dbd84a8c173a08584750845c31611160f2"
}
]
}