CVE-2022-49412

{"id": "CVE-2022-49412", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:17.703", "references": [{"url": "https://git.kernel.org/stable/c/5ee21edaed09e6b25f2c007b3f326752bc89bacf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7d172b9dc913e161d8ff88770eea01701ff553de", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8abc8763b11c35e03cc91d59fd0cd28d39f88ca9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/97be7d13fbd4001eeab49b1be6399f23a8c66160", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a16c65cca7d2c7ff965fdd3adc8df2156529caf1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c1cee4ab36acef271be9101590756ed0c0c374d9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Avoid merging queues with different parents\n\nIt can happen that the parent of a bfqq changes between the moment we\ndecide two queues are worth to merge (and set bic->stable_merge_bfqq)\nand the moment bfq_setup_merge() is called. This can happen e.g. because\nthe process submitted IO for a different cgroup and thus bfqq got\nreparented. It can even happen that the bfqq we are merging with has\nparent cgroup that is already offline and going to be destroyed in which\ncase the merge can lead to use-after-free issues such as:\n\nBUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50\nRead of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544\n\nCPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014\nCall Trace:\n <IRQ>\n dump_stack_lvl+0x46/0x5a\n print_address_description.constprop.0+0x1f/0x140\n ? __bfq_deactivate_entity+0x9cb/0xa50\n kasan_report.cold+0x7f/0x11b\n ? __bfq_deactivate_entity+0x9cb/0xa50\n __bfq_deactivate_entity+0x9cb/0xa50\n ? update_curr+0x32f/0x5d0\n bfq_deactivate_entity+0xa0/0x1d0\n bfq_del_bfqq_busy+0x28a/0x420\n ? resched_curr+0x116/0x1d0\n ? bfq_requeue_bfqq+0x70/0x70\n ? check_preempt_wakeup+0x52b/0xbc0\n __bfq_bfqq_expire+0x1a2/0x270\n bfq_bfqq_expire+0xd16/0x2160\n ? try_to_wake_up+0x4ee/0x1260\n ? bfq_end_wr_async_queues+0xe0/0xe0\n ? _raw_write_unlock_bh+0x60/0x60\n ? _raw_spin_lock_irq+0x81/0xe0\n bfq_idle_slice_timer+0x109/0x280\n ? bfq_dispatch_request+0x4870/0x4870\n __hrtimer_run_queues+0x37d/0x700\n ? enqueue_hrtimer+0x1b0/0x1b0\n ? kvm_clock_get_cycles+0xd/0x10\n ? ktime_get_update_offsets_now+0x6f/0x280\n hrtimer_interrupt+0x2c8/0x740\n\nFix the problem by checking that the parent of the two bfqqs we are\nmerging in bfq_setup_merge() is the same."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bfq: evitar la fusi\u00f3n de colas con diferentes padres Puede suceder que el padre de un bfqq cambie entre el momento en que decidimos que vale la pena fusionar dos colas (y establecemos bic-&gt;stable_merge_bfqq) y el momento en que se llama a bfq_setup_merge(). Esto puede suceder, por ejemplo, porque el proceso envi\u00f3 IO para un cgroup diferente y, por lo tanto, bfqq se volvi\u00f3 a asignar como padre. Incluso puede suceder que el bfqq con el que estamos fusionando tenga un cgroup padre que ya est\u00e1 fuera de l\u00ednea y se va a destruir, en cuyo caso la fusi\u00f3n puede provocar problemas de use-after-free, como: ERROR: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50 Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544 CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x46/0x5a print_address_description.constprop.0+0x1f/0x140 ? __bfq_deactivate_entity+0x9cb/0xa50 kasan_report.cold+0x7f/0x11b ? __bfq_deactivate_entity+0x9cb/0xa50 __bfq_deactivate_entity+0x9cb/0xa50 ? update_curr+0x32f/0x5d0 bfq_deactivate_entity+0xa0/0x1d0 bfq_del_bfqq_busy+0x28a/0x420 ? resched_curr+0x116/0x1d0 ? bfq_requeue_bfqq+0x70/0x70 ? check_preempt_wakeup+0x52b/0xbc0 __bfq_bfqq_expire+0x1a2/0x270 bfq_bfqq_expire+0xd16/0x2160 ? try_to_wake_up+0x4ee/0x1260 ? bfq_end_wr_async_queues+0xe0/0xe0 ? _raw_write_unlock_bh+0x60/0x60 ? _raw_spin_lock_irq+0x81/0xe0 bfq_idle_slice_timer+0x109/0x280 ? bfq_dispatch_request+0x4870/0x4870 __hrtimer_run_queues+0x37d/0x700 ? enqueue_hrtimer+0x1b0/0x1b0 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_update_offsets_now+0x6f/0x280 hrtimer_interrupt+0x2c8/0x740 Solucione el problema comprobando que el padre de los dos bfqqs que estamos fusionando en bfq_setup_merge() sea el mismo."}], "lastModified": "2025-03-24T19:52:31.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1C86ABC-337F-46B3-BCD8-22DC5A66E45A", "versionEndExcluding": "5.4.198"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34ACD872-E5BC-401C-93D5-B357A62426E0", "versionEndExcluding": "5.10.121", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7544E3D-BDEB-4355-B7BF-123300FCDB6F", "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}