CVE-2022-49300

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49300
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49300.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49300
Related
Published
2025-02-26T07:01:06Z
Modified
2025-04-14T20:50:36.178431Z
Downstream
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

nbd: fix race between nbdallocconfig() and module removal

When nbd module is being removing, nbdallocconfig() may be called concurrently by nbdgenlconnect(), although trymoduleget() will return false, but nbdallocconfig() doesn't handle it.

The race may lead to the leak of nbdconfig and its related resources (e.g, recvworkq) and oops in nbdreadstat() due to the unload of nbd module as shown below:

BUG: kernel NULL pointer dereference, address: 0000000000000040 Oops: 0000 [#1] SMP PTI CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: knbd16-recv recvwork [nbd] RIP: 0010:nbdreadstat.cold+0x130/0x1a4 [nbd] Call Trace: recvwork+0x3b/0xb0 [nbd] processonework+0x1ed/0x390 workerthread+0x4a/0x3d0 kthread+0x12a/0x150 retfrom_fork+0x22/0x30

Fixing it by checking the return value of trymoduleget() in nbdallocconfig(). As nbdallocconfig() may return ERRPTR(-ENODEV), assign nbd->config only when nbdalloc_config() succeeds to ensure the value of nbd->config is binary (valid or NULL).

Also adding a debug message to check the reference counter of nbd_config during module removal.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.127-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}