CVE-2022-49401

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49401
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49401.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49401
Related
Published
2025-02-26T07:01:16Z
Modified
2025-02-26T07:01:16Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/page_owner: use strscpy() instead of strlcpy()

current->comm[] is not a string (no guarantee for a zero byte in it).

strlcpy(s1, s2, l) is calling strlen(s2), potentially causing out-of-bound access, as reported by syzbot:

detected buffer overflow in _fortifystrlen ------------[ cut here ]------------ kernel BUG at lib/stringhelpers.c:980! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fortifypanic+0x18/0x1a lib/string_helpers.c:980 Code: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a RSP: 0018:ffffc900000074a8 EFLAGS: 00010286

RAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000 RDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87 RBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000 R10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700 R13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: <IRQ> fortifystrlen include/linux/fortify-string.h:128 [inline] strlcpy include/linux/fortify-string.h:143 [inline] _setpageownerhandle+0x2b1/0x3e0 mm/pageowner.c:171 _setpageowner+0x3e/0x50 mm/pageowner.c:190 prepnewpage mm/pagealloc.c:2441 [inline] getpagefromfreelist+0xba2/0x3e00 mm/pagealloc.c:4182 _allocpages+0x1b2/0x500 mm/pagealloc.c:5408 allocpages+0x1aa/0x310 mm/mempolicy.c:2272 allocslabpage mm/slub.c:1799 [inline] allocateslab+0x26c/0x3c0 mm/slub.c:1944 newslab mm/slub.c:2004 [inline] _slaballoc+0x8df/0xf20 mm/slub.c:3005 _slaballoc.constprop.0+0x4d/0xa0 mm/slub.c:3092 slaballocnode mm/slub.c:3183 [inline] slaballoc mm/slub.c:3225 [inline] _kmemcachealloclru mm/slub.c:3232 [inline] kmemcachealloc+0x360/0x3b0 mm/slub.c:3242 dstalloc+0x146/0x1f0 net/core/dst.c:92

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}