| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025102207-CVE-2022-50563-995f@gregkh>
Date: Wed, 22 Oct 2025 15:24:11 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50563: dm thin: Fix UAF in run_timer_softirq()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
dm thin: Fix UAF in run_timer_softirq()
When dm_resume() and dm_destroy() are concurrent, it will
lead to UAF, as follows:
BUG: KASAN: use-after-free in __run_timers+0x173/0x710
Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0
<snip>
Call Trace:
<IRQ>
dump_stack_lvl+0x73/0x9f
print_report.cold+0x132/0xaa2
_raw_spin_lock_irqsave+0xcd/0x160
__run_timers+0x173/0x710
kasan_report+0xad/0x110
__run_timers+0x173/0x710
__asan_store8+0x9c/0x140
__run_timers+0x173/0x710
call_timer_fn+0x310/0x310
pvclock_clocksource_read+0xfa/0x250
kvm_clock_read+0x2c/0x70
kvm_clock_get_cycles+0xd/0x20
ktime_get+0x5c/0x110
lapic_next_event+0x38/0x50
clockevents_program_event+0xf1/0x1e0
run_timer_softirq+0x49/0x90
__do_softirq+0x16e/0x62c
__irq_exit_rcu+0x1fa/0x270
irq_exit_rcu+0x12/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
One of the concurrency UAF can be shown as below:
use free
do_resume |
__find_device_hash_cell |
dm_get |
atomic_inc(&md->holders) |
| dm_destroy
| __dm_destroy
| if (!dm_suspended_md(md))
| atomic_read(&md->holders)
| msleep(1)
dm_resume |
__dm_resume |
dm_table_resume_targets |
pool_resume |
do_waker #add delay work |
dm_put |
atomic_dec(&md->holders) |
| dm_table_destroy
| pool_dtr
| __pool_dec
| __pool_destroy
| destroy_workqueue
| kfree(pool) # free pool
time out
__do_softirq
run_timer_softirq # pool has already been freed
This can be easily reproduced using:
1. create thin-pool
2. dmsetup suspend pool
3. dmsetup resume pool
4. dmsetup remove_all # Concurrent with 3
The root cause of this UAF bug is that dm_resume() adds timer after
dm_destroy() skips cancelling the timer because of suspend status.
After timeout, it will call run_timer_softirq(), however pool has
already been freed. The concurrency UAF bug will happen.
Therefore, cancelling timer again in __pool_destroy().
The Linux kernel CVE team has assigned CVE-2022-50563 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 4.9.337 with commit 7ee059d06a5d3c15465959e0472993e80fbe4e81
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 4.14.303 with commit 550a4fac7ecfee5bac6a0dd772456ca62fb72f46
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 4.19.270 with commit e8b8e0d2bbf7d1172c4f435621418e29ee408d46
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 5.4.229 with commit 7ae6aa649394e1e7f6dafb55ce0d578c0572a280
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 5.10.163 with commit 34fe9c2251f19786a6689149a6212c6c0de1d63b
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 5.15.87 with commit 34cd15d83b7206188d440b29b68084fcafde9395
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 6.0.18 with commit 94e231c9d6f2648d2f1f68e7f476e050ee0a6159
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 6.1.4 with commit d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd
Issue introduced in 3.2 with commit 991d9fa02da0dd1f843dc011376965e0c8c6c9b5 and fixed in 6.2 with commit 88430ebcbc0ec637b710b947738839848c20feff
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-50563
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/md/dm-thin.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/7ee059d06a5d3c15465959e0472993e80fbe4e81
https://git.kernel.org/stable/c/550a4fac7ecfee5bac6a0dd772456ca62fb72f46
https://git.kernel.org/stable/c/e8b8e0d2bbf7d1172c4f435621418e29ee408d46
https://git.kernel.org/stable/c/7ae6aa649394e1e7f6dafb55ce0d578c0572a280
https://git.kernel.org/stable/c/34fe9c2251f19786a6689149a6212c6c0de1d63b
https://git.kernel.org/stable/c/34cd15d83b7206188d440b29b68084fcafde9395
https://git.kernel.org/stable/c/94e231c9d6f2648d2f1f68e7f476e050ee0a6159
https://git.kernel.org/stable/c/d9971fa4d8bde63d49c743c1b32d12fbbd3a30bd
https://git.kernel.org/stable/c/88430ebcbc0ec637b710b947738839848c20feff
Powered by blists - more mailing lists