CVE-2022-49767

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49767
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49767.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49767
Downstream
Related
Published
2025-05-01T14:09:06.183Z
Modified
2026-04-11T12:44:29.283883Z
Summary
9p/trans_fd: always use O_NONBLOCK read/write
Details

In the Linux kernel, the following vulnerability has been resolved:

9p/transfd: always use ONONBLOCK read/write

syzbot is reporting hung task at p9fdclose() [1], for p9muxpollstop() from p9conndestroy() from p9fdclose() is failing to interrupt already started kernelread() from p9fdread() from p9readwork() and/or kernelwrite() from p9fdwrite() from p9write_work() requests.

Since p9socketopen() sets ONONBLOCK flag, p9muxpollstop() does not need to interrupt kernelread()/kernelwrite(). However, since p9fdopen() does not set ONONBLOCK flag, but pipe blocks unless signal is pending, p9muxpollstop() needs to interrupt kernelread()/kernelwrite() when the file descriptor refers to a pipe. In other words, pipe file descriptor needs to be handled as if socket file descriptor.

We somehow need to interrupt kernelread()/kernelwrite() on pipes.

A minimal change, which this patch is doing, is to set ONONBLOCK flag from p9fdopen(), for ONONBLOCK flag does not affect reading/writing of regular files. But this approach changes ONONBLOCK flag on userspace- supplied file descriptors (which might break userspace programs), and ONONBLOCK flag could be changed by userspace. It would be possible to set ONONBLOCK flag every time p9fdread()/p9fdwrite() is invoked, but still remains small race window for clearing ONONBLOCK flag.

If we don't want to manipulate ONONBLOCK flag, we might be able to surround kernelread()/kernelwrite() with setthreadflag(TIFSIGPENDING) and recalcsigpending(). Since p9readwork()/p9writework() works are processed by kernel threads which process global systemwq workqueue, signals could not be delivered from remote threads when p9muxpollstop() from p9conndestroy() from p9fdclose() is called. Therefore, calling setthreadflag(TIFSIGPENDING)/recalcsigpending() every time would be needed if we count on signals for making kernelread()/kernel_write() non-blocking.

[Dominique: add comment at Christian's suggestion]

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49767.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
27979bb2ff748613dba96ae66392a76fb0678527
Fixed
0b5e6bd72b8171364616841603a70e4ba9837063
Fixed
9f8554615df668e4bf83294633ee9d232b28ce45
Fixed
7abf40f06a76c0dff42eada10597917e9776fbd4
Fixed
b1ad04da7fe4515e2ce2d5f2dcab3b5b6d45614b
Fixed
a8e2fc8f7b41fa9d9ca5f624f4e4d34fce5b40a9
Fixed
0e07032b4b4724b8ad1003698cb81083c1818999
Fixed
5af16182c5639349415118e9e9aecd8355f7a08b
Fixed
ef575281b21e9a34dfae544a187c6aac2ae424a9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49767.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.17
Fixed
4.9.334
Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
4.14.300
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.267
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.225
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.156
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.80
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.10

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49767.json"