CVE-2022-50064

{"id": "CVE-2022-50064", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:35.157", "references": [{"url": "https://git.kernel.org/stable/c/2b54e14535bc34bf649372060d518ec9f2b893b3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8d12ec10292877751ee4463b11a63bd850bc09b5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-blk: Avoid use-after-free on suspend/resume\n\nhctx->user_data is set to vq in virtblk_init_hctx(). However, vq is\nfreed on suspend and reallocated on resume. So, hctx->user_data is\ninvalid after resume, and it will cause use-after-free accessing which\nwill result in the kernel crash something like below:\n\n[ 22.428391] Call Trace:\n[ 22.428899] <TASK>\n[ 22.429339] virtqueue_add_split+0x3eb/0x620\n[ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0\n[ 22.430789] ? kvm_clock_get_cycles+0x14/0x30\n[ 22.431496] virtqueue_add_sgs+0xad/0xd0\n[ 22.432108] virtblk_add_req+0xe8/0x150\n[ 22.432692] virtio_queue_rqs+0xeb/0x210\n[ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280\n[ 22.434059] __blk_flush_plug+0xe1/0x140\n[ 22.434853] blk_finish_plug+0x20/0x40\n[ 22.435512] read_pages+0x20a/0x2e0\n[ 22.436063] ? folio_add_lru+0x62/0xa0\n[ 22.436652] page_cache_ra_unbounded+0x112/0x160\n[ 22.437365] filemap_get_pages+0xe1/0x5b0\n[ 22.437964] ? context_to_sid+0x70/0x100\n[ 22.438580] ? sidtab_context_to_sid+0x32/0x400\n[ 22.439979] filemap_read+0xcd/0x3d0\n[ 22.440917] xfs_file_buffered_read+0x4a/0xc0\n[ 22.441984] xfs_file_read_iter+0x65/0xd0\n[ 22.442970] __kernel_read+0x160/0x2e0\n[ 22.443921] bprm_execve+0x21b/0x640\n[ 22.444809] do_execveat_common.isra.0+0x1a8/0x220\n[ 22.446008] __x64_sys_execve+0x2d/0x40\n[ 22.446920] do_syscall_64+0x37/0x90\n[ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThis patch fixes this issue by getting vq from vblk, and removes\nvirtblk_init_hctx()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio-blk: Evita el Use-After-Free al suspender/reanudar. hctx-&gt;user_data est\u00e1 configurado como vq en virtblk_init_hctx(). Sin embargo, vq se libera al suspender y se reasigna al reanudar. Por lo tanto, hctx-&gt;user_data no es v\u00e1lido despu\u00e9s de reanudar y provocar\u00e1 el acceso despu\u00e9s de la liberaci\u00f3n, lo que provocar\u00e1 un fallo del kernel similar al siguiente: [ 22.428391] Seguimiento de llamadas: [ 22.428899] [ 22.429339] virtqueue_add_split+0x3eb/0x620 [ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0 [ 22.430789] ? kvm_clock_get_cycles+0x14/0x30 [ 22.431496] virtqueue_add_sgs+0xad/0xd0 [ 22.432108] virtblk_add_req+0xe8/0x150 [ 22.432692] virtio_queue_rqs+0xeb/0x210 [ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280 [ 22.434059] __blk_flush_plug+0xe1/0x140 [ 22.434853] blk_finish_plug+0x20/0x40 [ 22.435512] read_pages+0x20a/0x2e0 [ 22.436063] ? folio_add_lru+0x62/0xa0 [ 22.436652] page_cache_ra_unbounded+0x112/0x160 [ 22.437365] filemap_get_pages+0xe1/0x5b0 [ 22.437964] ? context_to_sid+0x70/0x100 [ 22.438580] ? sidtab_context_to_sid+0x32/0x400 [ 22.439979] filemap_read+0xcd/0x3d0 [ 22.440917] xfs_file_buffered_read+0x4a/0xc0 [ 22.441984] xfs_file_read_iter+0x65/0xd0 [ 22.442970] __kernel_read+0x160/0x2e0 [ 22.443921] bprm_execve+0x21b/0x640 [ 22.444809] do_execveat_common.isra.0+0x1a8/0x220 [ 22.446008] __x64_sys_execve+0x2d/0x40 [ 22.446920] do_syscall_64+0x37/0x90 [ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd Este parche corrige este problema obteniendo vq de vblk y elimina virtblk_init_hctx()."}], "lastModified": "2025-11-13T18:26:46.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B05B3A7-DED2-4B21-94AE-AE1F779C2A3D", "versionEndExcluding": "5.19.4", "versionStartIncluding": "5.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}