CVE-2022-50819
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50819
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50819.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-50819
- Downstream
- Published
- 2025-12-30T12:08:34.225Z
- Modified
- 2026-01-02T20:47:04.195733Z
- Summary
- udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
When userspace tries to map the dmabuf and if for some reason (e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be set to NULL. Otherwise, when the userspace subsequently closes the dmabuf fd, we'd try to erroneously free the invalid sg table from release_udmabuf resulting in the following crash reported by syzbot:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:dmaunmapsgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:putsgtable drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:releaseudmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c 8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2 RSP: 0018:ffffc900037efd30 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000 RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000 R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000 FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dmabufrelease+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78 _dentrykill+0x42b/0x640 fs/dcache.c:612 dentrykill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 _fput+0x39c/0x9d0 fs/filetable.c:333 taskworkrun+0xdd/0x1a0 kernel/taskwork.c:177 ptracenotify+0x114/0x140 kernel/signal.c:2353 ptracereportsyscall include/linux/ptrace.h:420 [inline] ptracereportsyscallexit include/linux/ptrace.h:482 [inline] syscallexitwork kernel/entry/common.c:249 [inline] syscallexittousermodeprepare+0x129/0x280 kernel/entry/common.c:276 _syscallexittousermodework kernel/entry/common.c:281 [inline] syscallexittousermode+0x9/0x50 kernel/entry/common.c:294 dosyscall64+0x42/0xb0 arch/x86/entry/common.c:86 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7fc1c0c35b6b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIGRAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006 RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:dmaunmapsgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:putsgtable drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:releaseudmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50819.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/9861e43f097a50678041f973347b3a88f2da09cf
- https://git.kernel.org/stable/c/bbe2f6f90310b3a0b5de4e0dc022b36faabfd718
- https://git.kernel.org/stable/c/d9c04a1b7a15b5e74b2977461d9511e497f05d8f
- https://git.kernel.org/stable/c/dfbed8c92eb853929f4fa676ba493391dab47be4
- https://git.kernel.org/stable/c/fc285549f454c0f50f87ec945fc0bf44719c0fa4
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50819.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-50819
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced284562e1f34874e267d4f499362c3816f8f6bc3fFixedbbe2f6f90310b3a0b5de4e0dc022b36faabfd718Fixeddfbed8c92eb853929f4fa676ba493391dab47be4Fixedfc285549f454c0f50f87ec945fc0bf44719c0fa4Fixed9861e43f097a50678041f973347b3a88f2da09cfFixedd9c04a1b7a15b5e74b2977461d9511e497f05d8f