CVE-2022-49271
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49271
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49271.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49271
- Downstream
- Related
- Published
- 2025-02-26T01:56:18Z
- Modified
- 2025-10-29T20:59:46.749522Z
- Summary
- cifs: prevent bad output lengths in smb2_ioctl_query_info()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
cifs: prevent bad output lengths in smb2ioctlquery_info()
When calling smb2ioctlqueryinfo() with smbqueryinfo::flags=PASSTHRUFSCTL and smbqueryinfo::outputbufferlength=0, the following would return 0x10
buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); if (IS_ERR(buffer)) { kfree(vars); return PTR_ERR(buffer); }rather than a valid pointer thus making ISERR() check fail. This would then cause a NULL ptr deference in @buffer when accessing it later in smb2ioctlqueryioctl(). While at it, prevent having a @buffer smaller than 8 bytes to correctly handle SMB2SETINFO FileEndOfFileInformation requests when smbqueryinfo::flags=PASSTHRUSETINFO.
Here is a small C reproducer which triggers a NULL ptr in @buffer when passing an invalid smbqueryinfo::flags
#include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #define die(s) perror(s), exit(1) #define QUERY_INFO 0xc018cf07 int main(int argc, char *argv[]) { int fd; if (argc < 2) exit(1); fd = open(argv[1], O_RDONLY); if (fd == -1) die("open"); if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) die("ioctl"); close(fd); return 0; } mount.cifs //srv/share /mnt -o ... gcc repro.c && ./a.out /mnt/f0 [ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1 [ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] [ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 [ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 [ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d [ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 [ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 [ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 [ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000 [ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000 [ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0 [ 114.146131] Call Trace: [ 114.146291] <TASK> [ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs] [ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs] [ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] [ 114.147775] ? dentry_path_raw+0xa6/0xf0 [ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] [ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs] [ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs] [ 114.149371] ? lock_downgrade+0x6f0/0x6f0 [ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs] [ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0 [ 114.150562] ? __up_read+0x192/0x710 [ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0 [ 114.151025] ? __x64_sys_openat+0x11f/0x1d0 [ 114.151296] __x64_sys_ioctl+0x127/0x190 [ 114.151549] do_syscall_64+0x3b/0x90 [ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 114.152079] RIP: 0033:0x7f7aead043df [ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24---truncated---
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/7529fbee10d82493c5cb109e51788bf74816d1c0
- https://git.kernel.org/stable/c/9963ccea6087268e1275b992dca5d0dd4b938765
- https://git.kernel.org/stable/c/b92e358757b91c2827af112cae9af513f26a3f34
- https://git.kernel.org/stable/c/f143f8334fb9eb2f6c7c15b9da1472d9c965fd84
- https://git.kernel.org/stable/c/fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcfaa1181097f6a1a6f4f6670ebc97848efda0883Fixed9963ccea6087268e1275b992dca5d0dd4b938765
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcfaa1181097f6a1a6f4f6670ebc97848efda0883Fixedf143f8334fb9eb2f6c7c15b9da1472d9c965fd84
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcfaa1181097f6a1a6f4f6670ebc97848efda0883Fixedfadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcfaa1181097f6a1a6f4f6670ebc97848efda0883Fixed7529fbee10d82493c5cb109e51788bf74816d1c0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcfaa1181097f6a1a6f4f6670ebc97848efda0883Fixedb92e358757b91c2827af112cae9af513f26a3f34
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.106
v5.10.107
v5.10.108
v5.10.109
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
vanir_signatures
[
{
"id": "CVE-2022-49271-2e8942a8",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/cifs/smb2ops.c",
"function": "smb2_ioctl_query_info"
},
"digest": {
"function_hash": "84974630704622461147741114659173180979",
"length": 5403.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f143f8334fb9eb2f6c7c15b9da1472d9c965fd84"
},
{
"id": "CVE-2022-49271-5b19123c",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/cifs/smb2ops.c",
"function": "smb2_ioctl_query_info"
},
"digest": {
"function_hash": "84974630704622461147741114659173180979",
"length": 5403.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7529fbee10d82493c5cb109e51788bf74816d1c0"
},
{
"id": "CVE-2022-49271-5fe77c96",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/cifs/smb2ops.c"
},
"digest": {
"line_hashes": [
"195639087579040065176921175419669780594",
"311018211596813087901025655790412068690",
"200824735228757785805894732527977019271",
"56596742157685900684853472296048991345",
"178518857128822675598116414764174000192",
"142612723662156205099107485404791928724",
"165075068692799646704049410922955143366",
"261123979497449456997628625465918475860",
"26222601203825138706524339879832125165",
"226158708771223127922412983636498342871",
"136260873278334105843803885646317417571",
"191279316187977147857075461775376273515",
"40371085195943531553042613106802000251",
"326104635601109634660178009651616233061"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9963ccea6087268e1275b992dca5d0dd4b938765"
},
{
"id": "CVE-2022-49271-7665d530",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/cifs/smb2ops.c",
"function": "smb2_ioctl_query_info"
},
"digest": {
"function_hash": "84974630704622461147741114659173180979",
"length": 5403.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9963ccea6087268e1275b992dca5d0dd4b938765"
},
{
"id": "CVE-2022-49271-9dd2124b",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/cifs/smb2ops.c"
},
"digest": {
"line_hashes": [
"195639087579040065176921175419669780594",
"311018211596813087901025655790412068690",
"200824735228757785805894732527977019271",
"56596742157685900684853472296048991345",
"178518857128822675598116414764174000192",
"142612723662156205099107485404791928724",
"165075068692799646704049410922955143366",
"261123979497449456997628625465918475860",
"26222601203825138706524339879832125165",
"226158708771223127922412983636498342871",
"136260873278334105843803885646317417571",
"191279316187977147857075461775376273515",
"40371085195943531553042613106802000251",
"326104635601109634660178009651616233061"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f143f8334fb9eb2f6c7c15b9da1472d9c965fd84"
},
{
"id": "CVE-2022-49271-ab19f7fa",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/cifs/smb2ops.c"
},
"digest": {
"line_hashes": [
"195639087579040065176921175419669780594",
"311018211596813087901025655790412068690",
"200824735228757785805894732527977019271",
"56596742157685900684853472296048991345",
"178518857128822675598116414764174000192",
"142612723662156205099107485404791928724",
"165075068692799646704049410922955143366",
"261123979497449456997628625465918475860",
"26222601203825138706524339879832125165",
"226158708771223127922412983636498342871",
"136260873278334105843803885646317417571",
"191279316187977147857075461775376273515",
"40371085195943531553042613106802000251",
"326104635601109634660178009651616233061"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7529fbee10d82493c5cb109e51788bf74816d1c0"
},
{
"id": "CVE-2022-49271-af7db0cf",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/cifs/smb2ops.c"
},
"digest": {
"line_hashes": [
"195639087579040065176921175419669780594",
"311018211596813087901025655790412068690",
"200824735228757785805894732527977019271",
"56596742157685900684853472296048991345",
"178518857128822675598116414764174000192",
"142612723662156205099107485404791928724",
"165075068692799646704049410922955143366",
"261123979497449456997628625465918475860",
"26222601203825138706524339879832125165",
"226158708771223127922412983636498342871",
"136260873278334105843803885646317417571",
"191279316187977147857075461775376273515",
"40371085195943531553042613106802000251",
"326104635601109634660178009651616233061"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b92e358757b91c2827af112cae9af513f26a3f34"
},
{
"id": "CVE-2022-49271-c23d68c9",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/cifs/smb2ops.c",
"function": "smb2_ioctl_query_info"
},
"digest": {
"function_hash": "84974630704622461147741114659173180979",
"length": 5403.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b92e358757b91c2827af112cae9af513f26a3f34"
},
{
"id": "CVE-2022-49271-c27fae5b",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/cifs/smb2ops.c"
},
"digest": {
"line_hashes": [
"195639087579040065176921175419669780594",
"311018211596813087901025655790412068690",
"200824735228757785805894732527977019271",
"56596742157685900684853472296048991345",
"178518857128822675598116414764174000192",
"142612723662156205099107485404791928724",
"165075068692799646704049410922955143366",
"261123979497449456997628625465918475860",
"26222601203825138706524339879832125165",
"226158708771223127922412983636498342871",
"136260873278334105843803885646317417571",
"191279316187977147857075461775376273515",
"40371085195943531553042613106802000251",
"326104635601109634660178009651616233061"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53"
},
{
"id": "CVE-2022-49271-edaa4e6c",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/cifs/smb2ops.c",
"function": "smb2_ioctl_query_info"
},
"digest": {
"function_hash": "84974630704622461147741114659173180979",
"length": 5403.0
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fadddfc1dc3c6f79b21cff4a7e9a6c40b84fbc53"
}
]