CVE-2022-49257

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49257
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49257.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49257
Related
Published
2025-02-26T07:01:02Z
Modified
2025-02-26T19:03:11.558038Z
Downstream
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

watch_queue: Fix NULL dereference in error cleanup

In watchqueuesetsize(), the error cleanup code doesn't take account of the fact that _free_page() can't handle a NULL pointer when trying to free up buffer pages that did get allocated.

Fix this by only calling _freepage() on the pages actually allocated.

Without the fix, this can lead to something like the following:

BUG: KASAN: null-ptr-deref in _freepages+0x1f/0x1b0 mm/pagealloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor168/3599 ... Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 _kasanreport mm/kasan/report.c:446 [inline] kasanreport.cold+0x66/0xdf mm/kasan/report.c:459 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0x13d/0x180 mm/kasan/generic.c:189 instrumentatomicread include/linux/instrumented.h:71 [inline] atomicread include/linux/atomic/atomic-instrumented.h:27 [inline] pagerefcount include/linux/pageref.h:67 [inline] putpagetestzero include/linux/mm.h:717 [inline] _freepages+0x1f/0x1b0 mm/pagealloc.c:5473 watchqueuesetsize+0x499/0x630 kernel/watchqueue.c:275 pipeioctl+0xac/0x2b0 fs/pipe.c:632 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:874 [inline] _sesysioctl fs/ioctl.c:860 [inline] _x64sysioctl+0x193/0x200 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.113-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}