CVE-2022-48983 (GCVE-0-2022-48983)

Vulnerability from cvelistv5 – Published: 2024-10-21 20:06 – Updated: 2026-05-11 18:50
VLAI
Title
io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
Summary
In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_tctx_exit_cb+0x53/0xd3 kasan_report+0xbb/0x1f0 ? io_tctx_exit_cb+0x53/0xd3 kasan_check_range+0x140/0x190 io_tctx_exit_cb+0x53/0xd3 task_work_run+0x164/0x250 ? task_work_cancel+0x30/0x30 get_signal+0x1c3/0x2440 ? lock_downgrade+0x6e0/0x6e0 ? lock_downgrade+0x6e0/0x6e0 ? exit_signals+0x8b0/0x8b0 ? do_raw_read_unlock+0x3b/0x70 ? do_raw_spin_unlock+0x50/0x230 arch_do_signal_or_restart+0x82/0x2470 ? kmem_cache_free+0x260/0x4b0 ? putname+0xfe/0x140 ? get_sigframe_size+0x10/0x10 ? do_execveat_common.isra.0+0x226/0x710 ? lockdep_hardirqs_on+0x79/0x100 ? putname+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... This happens because the adding of task_work from io_ring_exit_work() isn't synchronized with canceling all work items from eg exec. The execution of the two are ordered in that they are both run by the task itself, but if io_tctx_exit_cb() is queued while we're canceling all work items off exec AND gets executed when the task exits to userspace rather than in the main loop in io_uring_cancel_generic(), then we can find current->io_uring == NULL and hit the above crash. It's safe to add this NULL check here, because the execution of the two paths are done by the task itself. [axboe: add code comment and also put an explanation in the commit msg]
Severity
No CVSS data available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d56d938b4bef3e1421a42023cdcd6e13c1f50831 , < f895511de9d27fff71dad2c234ad53b4afd2b06c (git)
Affected: d56d938b4bef3e1421a42023cdcd6e13c1f50831 , < d91edca1943453aaaba4f380f6f364346222e5cf (git)
Affected: d56d938b4bef3e1421a42023cdcd6e13c1f50831 , < 998b30c3948e4d0b1097e639918c5cff332acac5 (git)
Create a notification for this product.
Linux Linux Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.83 , ≤ 5.15.* (semver)
Unaffected: 6.0.13 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48983",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:17:35.242008Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:18:43.423Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/io_uring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f895511de9d27fff71dad2c234ad53b4afd2b06c",
              "status": "affected",
              "version": "d56d938b4bef3e1421a42023cdcd6e13c1f50831",
              "versionType": "git"
            },
            {
              "lessThan": "d91edca1943453aaaba4f380f6f364346222e5cf",
              "status": "affected",
              "version": "d56d938b4bef3e1421a42023cdcd6e13c1f50831",
              "versionType": "git"
            },
            {
              "lessThan": "998b30c3948e4d0b1097e639918c5cff332acac5",
              "status": "affected",
              "version": "d56d938b4bef3e1421a42023cdcd6e13c1f50831",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/io_uring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.83",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\n\nSyzkaller reports a NULL deref bug as follows:\n\n BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3\n Read of size 4 at addr 0000000000000138 by task file1/1955\n\n CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0xcd/0x134\n  ? io_tctx_exit_cb+0x53/0xd3\n  kasan_report+0xbb/0x1f0\n  ? io_tctx_exit_cb+0x53/0xd3\n  kasan_check_range+0x140/0x190\n  io_tctx_exit_cb+0x53/0xd3\n  task_work_run+0x164/0x250\n  ? task_work_cancel+0x30/0x30\n  get_signal+0x1c3/0x2440\n  ? lock_downgrade+0x6e0/0x6e0\n  ? lock_downgrade+0x6e0/0x6e0\n  ? exit_signals+0x8b0/0x8b0\n  ? do_raw_read_unlock+0x3b/0x70\n  ? do_raw_spin_unlock+0x50/0x230\n  arch_do_signal_or_restart+0x82/0x2470\n  ? kmem_cache_free+0x260/0x4b0\n  ? putname+0xfe/0x140\n  ? get_sigframe_size+0x10/0x10\n  ? do_execveat_common.isra.0+0x226/0x710\n  ? lockdep_hardirqs_on+0x79/0x100\n  ? putname+0xfe/0x140\n  ? do_execveat_common.isra.0+0x238/0x710\n  exit_to_user_mode_prepare+0x15f/0x250\n  syscall_exit_to_user_mode+0x19/0x50\n  do_syscall_64+0x42/0xb0\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0023:0x0\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n  \u003c/TASK\u003e\n Kernel panic - not syncing: panic_on_warn set ...\n\nThis happens because the adding of task_work from io_ring_exit_work()\nisn\u0027t synchronized with canceling all work items from eg exec. The\nexecution of the two are ordered in that they are both run by the task\nitself, but if io_tctx_exit_cb() is queued while we\u0027re canceling all\nwork items off exec AND gets executed when the task exits to userspace\nrather than in the main loop in io_uring_cancel_generic(), then we can\nfind current-\u003eio_uring == NULL and hit the above crash.\n\nIt\u0027s safe to add this NULL check here, because the execution of the two\npaths are done by the task itself.\n\n[axboe: add code comment and also put an explanation in the commit msg]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T18:50:56.049Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5"
        }
      ],
      "title": "io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48983",
    "datePublished": "2024-10-21T20:06:00.376Z",
    "dateReserved": "2024-08-22T01:27:53.633Z",
    "dateUpdated": "2026-05-11T18:50:56.049Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2022-48983",
      "date": "2026-06-02",
      "epss": "0.00026",
      "percentile": "0.07704"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.12\", \"versionEndExcluding\": \"5.15.83\", \"matchCriteriaId\": \"F3B523BF-F3E1-45F6-8064-D51E4E6D05E7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.16\", \"versionEndExcluding\": \"6.0.13\", \"matchCriteriaId\": \"389392A7-81C4-4C26-884B-8C7CF0F53DA4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"E7E331DA-1FB0-4DEC-91AC-7DA69D461C11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"17F0B248-42CF-4AE6-A469-BB1BAE7F4705\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"E2422816-0C14-4B5E-A1E6-A9D776E5C49B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*\", \"matchCriteriaId\": \"35B26BE4-43A6-4A36-A7F6-5B3F572D9186\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*\", \"matchCriteriaId\": \"3FFFB0B3-930D-408A-91E2-BAE0C2715D80\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*\", \"matchCriteriaId\": \"8535320E-A0DB-4277-800E-D0CE5BBA59E8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*\", \"matchCriteriaId\": \"21718AA4-4056-40F2-968E-BDAA465A7872\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\\n\\nSyzkaller reports a NULL deref bug as follows:\\n\\n BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3\\n Read of size 4 at addr 0000000000000138 by task file1/1955\\n\\n CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\n Call Trace:\\n  \u003cTASK\u003e\\n  dump_stack_lvl+0xcd/0x134\\n  ? io_tctx_exit_cb+0x53/0xd3\\n  kasan_report+0xbb/0x1f0\\n  ? io_tctx_exit_cb+0x53/0xd3\\n  kasan_check_range+0x140/0x190\\n  io_tctx_exit_cb+0x53/0xd3\\n  task_work_run+0x164/0x250\\n  ? task_work_cancel+0x30/0x30\\n  get_signal+0x1c3/0x2440\\n  ? lock_downgrade+0x6e0/0x6e0\\n  ? lock_downgrade+0x6e0/0x6e0\\n  ? exit_signals+0x8b0/0x8b0\\n  ? do_raw_read_unlock+0x3b/0x70\\n  ? do_raw_spin_unlock+0x50/0x230\\n  arch_do_signal_or_restart+0x82/0x2470\\n  ? kmem_cache_free+0x260/0x4b0\\n  ? putname+0xfe/0x140\\n  ? get_sigframe_size+0x10/0x10\\n  ? do_execveat_common.isra.0+0x226/0x710\\n  ? lockdep_hardirqs_on+0x79/0x100\\n  ? putname+0xfe/0x140\\n  ? do_execveat_common.isra.0+0x238/0x710\\n  exit_to_user_mode_prepare+0x15f/0x250\\n  syscall_exit_to_user_mode+0x19/0x50\\n  do_syscall_64+0x42/0xb0\\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n RIP: 0023:0x0\\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\\n RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b\\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n  \u003c/TASK\u003e\\n Kernel panic - not syncing: panic_on_warn set ...\\n\\nThis happens because the adding of task_work from io_ring_exit_work()\\nisn\u0027t synchronized with canceling all work items from eg exec. The\\nexecution of the two are ordered in that they are both run by the task\\nitself, but if io_tctx_exit_cb() is queued while we\u0027re canceling all\\nwork items off exec AND gets executed when the task exits to userspace\\nrather than in the main loop in io_uring_cancel_generic(), then we can\\nfind current-\u003eio_uring == NULL and hit the above crash.\\n\\nIt\u0027s safe to add this NULL check here, because the execution of the two\\npaths are done by the task itself.\\n\\n[axboe: add code comment and also put an explanation in the commit msg]\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: Se corrige un null-ptr-deref en io_tctx_exit_cb() Syzkaller informa un error de desreferencia NULL de la siguiente manera: ERROR: KASAN: null-ptr-deref en io_tctx_exit_cb+0x53/0xd3 Lectura de tama\\u00f1o 4 en la direcci\\u00f3n 0000000000000138 por la tarea file1/1955 CPU: 1 PID: 1955 Comm: file1 No contaminado 6.1.0-rc7-00103-gef4d3ea40565 #75 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Seguimiento de llamadas:  nivel_pila_volcado+0xcd/0x134 ? io_tctx_salir_cb+0x53/0xd3 informe_kasan+0xbb/0x1f0 ? io_tctx_salir_cb+0x53/0xd3 rango_comprobaci\\u00f3n_kasan+0x140/0x190 io_tctx_salir_cb+0x53/0xd3 ejecuci\\u00f3n_trabajo_tarea+0x164/0x250 ? cancelaci\\u00f3n_trabajo_tarea+0x30/0x30 obtener_se\\u00f1al+0x1c3/0x2440 ? degradaci\\u00f3n_bloqueo+0x6e0/0x6e0 ? degradaci\\u00f3n_bloqueo+0x6e0/0x6e0 ? se\\u00f1ales_salida+0x8b0/0x8b0 ? desbloqueo_lectura_sin_datos+0x3b/0x70 ? obtener_sigframe_size+0x10/0x10 ? bloquear_hardirqs_on+0x79/0x100 ? poner_nombre+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 C\\u00f3digo: No se puede acceder a los bytes del c\\u00f3digo de operaci\\u00f3n en 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000 RDI: 000000000000000 RBP: 000000000000000 R08: 0000000000000000 R09: 00000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000  P\\u00e1nico del kernel: no se sincroniza: panic_on_warn establecido ... Esto sucede porque la adici\\u00f3n de task_work desde io_ring_exit_work() no est\\u00e1 sincronizada con la cancelaci\\u00f3n de todos los elementos de trabajo, por ejemplo, de exec. La ejecuci\\u00f3n de los dos est\\u00e1 ordenada de manera que ambos son ejecutados por la propia tarea, pero si io_tctx_exit_cb() est\\u00e1 en cola mientras cancelamos todos los elementos de trabajo de exec Y se ejecuta cuando la tarea sale al espacio de usuario en lugar de en el bucle principal en io_uring_cancel_generic(), entonces podemos encontrar current-\u0026gt;io_uring == NULL y alcanzar el bloqueo anterior. Es seguro agregar esta verificaci\\u00f3n NULL aqu\\u00ed, porque la ejecuci\\u00f3n de las dos rutas las realiza la propia tarea. [axboe: agregue un comentario de c\\u00f3digo y tambi\\u00e9n coloque una explicaci\\u00f3n en el mensaje de confirmaci\\u00f3n]\"}]",
      "id": "CVE-2022-48983",
      "lastModified": "2024-10-25T15:58:02.297",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-10-21T20:15:10.283",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}, {\"url\": \"https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"tags\": [\"Patch\"]}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-476\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48983\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-10-21T20:15:10.283\",\"lastModified\":\"2024-10-25T15:58:02.297\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\\n\\nSyzkaller reports a NULL deref bug as follows:\\n\\n BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3\\n Read of size 4 at addr 0000000000000138 by task file1/1955\\n\\n CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\n Call Trace:\\n  \u003cTASK\u003e\\n  dump_stack_lvl+0xcd/0x134\\n  ? io_tctx_exit_cb+0x53/0xd3\\n  kasan_report+0xbb/0x1f0\\n  ? io_tctx_exit_cb+0x53/0xd3\\n  kasan_check_range+0x140/0x190\\n  io_tctx_exit_cb+0x53/0xd3\\n  task_work_run+0x164/0x250\\n  ? task_work_cancel+0x30/0x30\\n  get_signal+0x1c3/0x2440\\n  ? lock_downgrade+0x6e0/0x6e0\\n  ? lock_downgrade+0x6e0/0x6e0\\n  ? exit_signals+0x8b0/0x8b0\\n  ? do_raw_read_unlock+0x3b/0x70\\n  ? do_raw_spin_unlock+0x50/0x230\\n  arch_do_signal_or_restart+0x82/0x2470\\n  ? kmem_cache_free+0x260/0x4b0\\n  ? putname+0xfe/0x140\\n  ? get_sigframe_size+0x10/0x10\\n  ? do_execveat_common.isra.0+0x226/0x710\\n  ? lockdep_hardirqs_on+0x79/0x100\\n  ? putname+0xfe/0x140\\n  ? do_execveat_common.isra.0+0x238/0x710\\n  exit_to_user_mode_prepare+0x15f/0x250\\n  syscall_exit_to_user_mode+0x19/0x50\\n  do_syscall_64+0x42/0xb0\\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n RIP: 0023:0x0\\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\\n RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b\\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n  \u003c/TASK\u003e\\n Kernel panic - not syncing: panic_on_warn set ...\\n\\nThis happens because the adding of task_work from io_ring_exit_work()\\nisn\u0027t synchronized with canceling all work items from eg exec. The\\nexecution of the two are ordered in that they are both run by the task\\nitself, but if io_tctx_exit_cb() is queued while we\u0027re canceling all\\nwork items off exec AND gets executed when the task exits to userspace\\nrather than in the main loop in io_uring_cancel_generic(), then we can\\nfind current-\u003eio_uring == NULL and hit the above crash.\\n\\nIt\u0027s safe to add this NULL check here, because the execution of the two\\npaths are done by the task itself.\\n\\n[axboe: add code comment and also put an explanation in the commit msg]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: Se corrige un null-ptr-deref en io_tctx_exit_cb() Syzkaller informa un error de desreferencia NULL de la siguiente manera: ERROR: KASAN: null-ptr-deref en io_tctx_exit_cb+0x53/0xd3 Lectura de tama\u00f1o 4 en la direcci\u00f3n 0000000000000138 por la tarea file1/1955 CPU: 1 PID: 1955 Comm: file1 No contaminado 6.1.0-rc7-00103-gef4d3ea40565 #75 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Seguimiento de llamadas:  nivel_pila_volcado+0xcd/0x134 ? io_tctx_salir_cb+0x53/0xd3 informe_kasan+0xbb/0x1f0 ? io_tctx_salir_cb+0x53/0xd3 rango_comprobaci\u00f3n_kasan+0x140/0x190 io_tctx_salir_cb+0x53/0xd3 ejecuci\u00f3n_trabajo_tarea+0x164/0x250 ? cancelaci\u00f3n_trabajo_tarea+0x30/0x30 obtener_se\u00f1al+0x1c3/0x2440 ? degradaci\u00f3n_bloqueo+0x6e0/0x6e0 ? degradaci\u00f3n_bloqueo+0x6e0/0x6e0 ? se\u00f1ales_salida+0x8b0/0x8b0 ? desbloqueo_lectura_sin_datos+0x3b/0x70 ? obtener_sigframe_size+0x10/0x10 ? bloquear_hardirqs_on+0x79/0x100 ? poner_nombre+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 C\u00f3digo: No se puede acceder a los bytes del c\u00f3digo de operaci\u00f3n en 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000000000000 RDI: 000000000000000 RBP: 000000000000000 R08: 0000000000000000 R09: 00000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000  P\u00e1nico del kernel: no se sincroniza: panic_on_warn establecido ... Esto sucede porque la adici\u00f3n de task_work desde io_ring_exit_work() no est\u00e1 sincronizada con la cancelaci\u00f3n de todos los elementos de trabajo, por ejemplo, de exec. La ejecuci\u00f3n de los dos est\u00e1 ordenada de manera que ambos son ejecutados por la propia tarea, pero si io_tctx_exit_cb() est\u00e1 en cola mientras cancelamos todos los elementos de trabajo de exec Y se ejecuta cuando la tarea sale al espacio de usuario en lugar de en el bucle principal en io_uring_cancel_generic(), entonces podemos encontrar current-\u0026gt;io_uring == NULL y alcanzar el bloqueo anterior. Es seguro agregar esta verificaci\u00f3n NULL aqu\u00ed, porque la ejecuci\u00f3n de las dos rutas las realiza la propia tarea. [axboe: agregue un comentario de c\u00f3digo y tambi\u00e9n coloque una explicaci\u00f3n en el mensaje de confirmaci\u00f3n]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.12\",\"versionEndExcluding\":\"5.15.83\",\"matchCriteriaId\":\"F3B523BF-F3E1-45F6-8064-D51E4E6D05E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.0.13\",\"matchCriteriaId\":\"389392A7-81C4-4C26-884B-8C7CF0F53DA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7E331DA-1FB0-4DEC-91AC-7DA69D461C11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"17F0B248-42CF-4AE6-A469-BB1BAE7F4705\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2422816-0C14-4B5E-A1E6-A9D776E5C49B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"35B26BE4-43A6-4A36-A7F6-5B3F572D9186\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3FFFB0B3-930D-408A-91E2-BAE0C2715D80\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"8535320E-A0DB-4277-800E-D0CE5BBA59E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"21718AA4-4056-40F2-968E-BDAA465A7872\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48983\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T13:17:35.242008Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T13:17:38.765Z\"}}], \"cna\": {\"title\": \"io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"d56d938b4bef3e1421a42023cdcd6e13c1f50831\", \"lessThan\": \"f895511de9d27fff71dad2c234ad53b4afd2b06c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d56d938b4bef3e1421a42023cdcd6e13c1f50831\", \"lessThan\": \"d91edca1943453aaaba4f380f6f364346222e5cf\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"d56d938b4bef3e1421a42023cdcd6e13c1f50831\", \"lessThan\": \"998b30c3948e4d0b1097e639918c5cff332acac5\", \"versionType\": \"git\"}], \"programFiles\": [\"io_uring/io_uring.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.12\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.12\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.83\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.0.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.0.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"io_uring/io_uring.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/f895511de9d27fff71dad2c234ad53b4afd2b06c\"}, {\"url\": \"https://git.kernel.org/stable/c/d91edca1943453aaaba4f380f6f364346222e5cf\"}, {\"url\": \"https://git.kernel.org/stable/c/998b30c3948e4d0b1097e639918c5cff332acac5\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()\\n\\nSyzkaller reports a NULL deref bug as follows:\\n\\n BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3\\n Read of size 4 at addr 0000000000000138 by task file1/1955\\n\\n CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014\\n Call Trace:\\n  \u003cTASK\u003e\\n  dump_stack_lvl+0xcd/0x134\\n  ? io_tctx_exit_cb+0x53/0xd3\\n  kasan_report+0xbb/0x1f0\\n  ? io_tctx_exit_cb+0x53/0xd3\\n  kasan_check_range+0x140/0x190\\n  io_tctx_exit_cb+0x53/0xd3\\n  task_work_run+0x164/0x250\\n  ? task_work_cancel+0x30/0x30\\n  get_signal+0x1c3/0x2440\\n  ? lock_downgrade+0x6e0/0x6e0\\n  ? lock_downgrade+0x6e0/0x6e0\\n  ? exit_signals+0x8b0/0x8b0\\n  ? do_raw_read_unlock+0x3b/0x70\\n  ? do_raw_spin_unlock+0x50/0x230\\n  arch_do_signal_or_restart+0x82/0x2470\\n  ? kmem_cache_free+0x260/0x4b0\\n  ? putname+0xfe/0x140\\n  ? get_sigframe_size+0x10/0x10\\n  ? do_execveat_common.isra.0+0x226/0x710\\n  ? lockdep_hardirqs_on+0x79/0x100\\n  ? putname+0xfe/0x140\\n  ? do_execveat_common.isra.0+0x238/0x710\\n  exit_to_user_mode_prepare+0x15f/0x250\\n  syscall_exit_to_user_mode+0x19/0x50\\n  do_syscall_64+0x42/0xb0\\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n RIP: 0023:0x0\\n Code: Unable to access opcode bytes at 0xffffffffffffffd6.\\n RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b\\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\n RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\\n R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\\n  \u003c/TASK\u003e\\n Kernel panic - not syncing: panic_on_warn set ...\\n\\nThis happens because the adding of task_work from io_ring_exit_work()\\nisn\u0027t synchronized with canceling all work items from eg exec. The\\nexecution of the two are ordered in that they are both run by the task\\nitself, but if io_tctx_exit_cb() is queued while we\u0027re canceling all\\nwork items off exec AND gets executed when the task exits to userspace\\nrather than in the main loop in io_uring_cancel_generic(), then we can\\nfind current-\u003eio_uring == NULL and hit the above crash.\\n\\nIt\u0027s safe to add this NULL check here, because the execution of the two\\npaths are done by the task itself.\\n\\n[axboe: add code comment and also put an explanation in the commit msg]\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-12-19T08:11:53.174Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-48983\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-19T08:11:53.174Z\", \"dateReserved\": \"2024-08-22T01:27:53.633Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T20:06:00.376Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.