CVE-2022-49270
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49270
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49270.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49270
- Downstream
- Related
- Published
- 2025-02-26T01:56:17Z
- Modified
- 2025-10-08T09:28:01.963669Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- dm: fix use-after-free in dm_cleanup_zoned_dev()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
dm: fix use-after-free in dmcleanupzoned_dev()
dmcleanupzoneddev() uses queue, so it must be called before blkcleanup_disk() starts its killing:
blkcleanupdisk->blkcleanupqueue()->kobjectput()->blkreleasequeue()-> ->...RCU...->blkfreequeuercu()->kmemcachefree()
Otherwise, RCU callback may be executed first and dmcleanupzoned_dev() will touch free'd memory:
BUG: KASAN: use-after-free in dmcleanupzoned_dev+0x33/0xd0 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x57/0x7d printaddressdescription.constprop.0+0x1f/0x150 ? dmcleanupzoneddev+0x33/0xd0 kasanreport.cold+0x7f/0x11b ? dmcleanupzoneddev+0x33/0xd0 dmcleanupzoneddev+0x33/0xd0 _dmdestroy+0x26a/0x400 ? dmblkioctl+0x230/0x230 ? upwrite+0xd8/0x270 devremove+0x156/0x1d0 ctlioctl+0x269/0x530 ? tableclear+0x140/0x140 ? lockrelease+0xb2/0x750 ? removeall+0x40/0x40 ? rcureadlockschedheld+0x12/0x70 ? lockdowngrade+0x3c0/0x3c0 ? rcureadlockschedheld+0x12/0x70 dmctlioctl+0xa/0x10 _x64sysioctl+0xb9/0xf0 dosyscall64+0x3b/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7fb6dfa95c27
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0987f00a76a17aa7213da492c00ed9e5a6210c73
- https://git.kernel.org/stable/c/43a043aed964659bc69ef81f266912b73c80d837
- https://git.kernel.org/stable/c/588b7f5df0cb64f281290c7672470c006abe7160
- https://git.kernel.org/stable/c/fdfe414ca28ddfd562c233fb27385cf820de03e8
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbb37d77239af25cde59693dbe3fac04dd17d7b29Fixed0987f00a76a17aa7213da492c00ed9e5a6210c73
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbb37d77239af25cde59693dbe3fac04dd17d7b29Fixedfdfe414ca28ddfd562c233fb27385cf820de03e8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbb37d77239af25cde59693dbe3fac04dd17d7b29Fixed43a043aed964659bc69ef81f266912b73c80d837
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedbb37d77239af25cde59693dbe3fac04dd17d7b29Fixed588b7f5df0cb64f281290c7672470c006abe7160
Affected versions
v5.*
v5.13
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2022-49270-01f4dc14",
"deprecated": false,
"digest": {
"function_hash": "81366426606027698239026287965572939256",
"length": 785.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fdfe414ca28ddfd562c233fb27385cf820de03e8",
"target": {
"file": "drivers/md/dm.c",
"function": "cleanup_mapped_device"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2022-49270-3bbd4295",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"256538427029333137851255072979133780673",
"13817241541847778795473884006236546381",
"282172158870113756668348867881738317120",
"79558354655916324936995770778617082608",
"67253472398455296585966915240653246454",
"154955768871407162014361812966719815322",
"250212884710974208667930581639527162819"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0987f00a76a17aa7213da492c00ed9e5a6210c73",
"target": {
"file": "drivers/md/dm.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2022-49270-74901d2e",
"deprecated": false,
"digest": {
"function_hash": "81366426606027698239026287965572939256",
"length": 785.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0987f00a76a17aa7213da492c00ed9e5a6210c73",
"target": {
"file": "drivers/md/dm.c",
"function": "cleanup_mapped_device"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2022-49270-91e2f02b",
"deprecated": false,
"digest": {
"function_hash": "65022243914042807747895342230750590298",
"length": 909.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@588b7f5df0cb64f281290c7672470c006abe7160",
"target": {
"file": "drivers/md/dm.c",
"function": "cleanup_mapped_device"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"id": "CVE-2022-49270-bd9949c1",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"256538427029333137851255072979133780673",
"13817241541847778795473884006236546381",
"282172158870113756668348867881738317120",
"79558354655916324936995770778617082608",
"67253472398455296585966915240653246454",
"154955768871407162014361812966719815322",
"250212884710974208667930581639527162819"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43a043aed964659bc69ef81f266912b73c80d837",
"target": {
"file": "drivers/md/dm.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2022-49270-be0645ea",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"256538427029333137851255072979133780673",
"13817241541847778795473884006236546381",
"282172158870113756668348867881738317120",
"79558354655916324936995770778617082608",
"67253472398455296585966915240653246454",
"154955768871407162014361812966719815322",
"250212884710974208667930581639527162819"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@588b7f5df0cb64f281290c7672470c006abe7160",
"target": {
"file": "drivers/md/dm.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2022-49270-c1f36989",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"256538427029333137851255072979133780673",
"13817241541847778795473884006236546381",
"282172158870113756668348867881738317120",
"79558354655916324936995770778617082608",
"67253472398455296585966915240653246454",
"154955768871407162014361812966719815322",
"250212884710974208667930581639527162819"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fdfe414ca28ddfd562c233fb27385cf820de03e8",
"target": {
"file": "drivers/md/dm.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"id": "CVE-2022-49270-c641f9b3",
"deprecated": false,
"digest": {
"function_hash": "334098829510560124021196836905366526636",
"length": 814.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@43a043aed964659bc69ef81f266912b73c80d837",
"target": {
"file": "drivers/md/dm.c",
"function": "cleanup_mapped_device"
},
"signature_type": "Function",
"signature_version": "v1"
}
]
}