{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49152", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.274Z", "datePublished": "2025-02-26T01:55:18.249Z", "dateUpdated": "2025-02-26T01:55:18.249Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-26T01:55:18.249Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nXArray: Fix xas_create_range() when multi-order entry present\n\nIf there is already an entry present that is of order >= XA_CHUNK_SHIFT\nwhen we call xas_create_range(), xas_create_range() will misinterpret\nthat entry as a node and dereference xa_node->parent, generally leading\nto a crash that looks something like this:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001:\n0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0\nRIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline]\nRIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725\n\nIt's deterministically reproducable once you know what the problem is,\nbut producing it in a live kernel requires khugepaged to hit a race.\nWhile the problem has been present since xas_create_range() was\nintroduced, I'm not aware of a way to hit it before the page cache was\nconverted to use multi-index entries."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["lib/test_xarray.c", "lib/xarray.c"], "versions": [{"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3", "lessThan": "3e2852eda19ee1a400cd809d7a9322680f34a262", "status": "affected", "versionType": "git"}, {"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3", "lessThan": "1ac49c8fd49fdf53d3cd8b77eb8ffda08d7fbe22", "status": "affected", "versionType": "git"}, {"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3", "lessThan": "7521a97b1929042604bef6859f62fa8b4bbc077b", "status": "affected", "versionType": "git"}, {"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3", "lessThan": "29968329b926d238e3107ec071a250397555d264", "status": "affected", "versionType": "git"}, {"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3", "lessThan": "18f13edf3424b3b61814b69d5269b2e14584800c", "status": "affected", "versionType": "git"}, {"version": "6b24ca4a1a8d4ee3221d6d44ddbb99f542e4bda3", "lessThan": "3e3c658055c002900982513e289398a1aad4a488", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["lib/test_xarray.c", "lib/xarray.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.189", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.110", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.33", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.19", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.2", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/3e2852eda19ee1a400cd809d7a9322680f34a262"}, {"url": "https://git.kernel.org/stable/c/1ac49c8fd49fdf53d3cd8b77eb8ffda08d7fbe22"}, {"url": "https://git.kernel.org/stable/c/7521a97b1929042604bef6859f62fa8b4bbc077b"}, {"url": "https://git.kernel.org/stable/c/29968329b926d238e3107ec071a250397555d264"}, {"url": "https://git.kernel.org/stable/c/18f13edf3424b3b61814b69d5269b2e14584800c"}, {"url": "https://git.kernel.org/stable/c/3e3c658055c002900982513e289398a1aad4a488"}], "title": "XArray: Fix xas_create_range() when multi-order entry present", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AAE7A78-57E5-45A6-860D-7867DA88A45E", "versionEndExcluding": "5.4.189", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "91D3BFD0-D3F3-4018-957C-96CCBF357D79", "versionEndExcluding": "5.10.110", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "27C42AE8-B387-43E2-938A-E1C8B40BE6D5", "versionEndExcluding": "5.15.33", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nXArray: Fix xas_create_range() when multi-order entry present\n\nIf there is already an entry present that is of order >= XA_CHUNK_SHIFT\nwhen we call xas_create_range(), xas_create_range() will misinterpret\nthat entry as a node and dereference xa_node->parent, generally leading\nto a crash that looks something like this:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001:\n0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0\nRIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline]\nRIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725\n\nIt's deterministically reproducable once you know what the problem is,\nbut producing it in a live kernel requires khugepaged to hit a race.\nWhile the problem has been present since xas_create_range() was\nintroduced, I'm not aware of a way to hit it before the page cache was\nconverted to use multi-index entries."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: XArray: Arreglar xas_create_range() cuando hay una entrada de orden m\u00faltiple presente Si ya hay una entrada presente que es de orden >= XA_CHUNK_SHIFT cuando llamamos a xas_create_range(), xas_create_range() malinterpretar\u00e1 esa entrada como un nodo y desreferenciar\u00e1 xa_node->parent, generalmente provocando un bloqueo que se parece a esto: error de protecci\u00f3n general, probablemente para una direcci\u00f3n no can\u00f3nica 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref en el rango [0x000000000000008-0x000000000000000f] CPU: 0 PID: 32 Comm: khugepaged No contaminado 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0 RIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline] RIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725 Es deterministamente reproducible una vez que sabes cu\u00e1l es el problema, pero producirlo en un n\u00facleo en vivo requiere que khugepaged alcance una ejecuci\u00f3n. Si bien el problema ha estado presente desde que se introdujo xas_create_range(), no conozco una forma de alcanzarlo antes de que la cach\u00e9 de p\u00e1ginas se convirtiera para usar entradas de \u00edndice m\u00faltiple."}], "id": "CVE-2022-49152", "lastModified": "2025-03-13T21:58:23.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:00:52.440", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/18f13edf3424b3b61814b69d5269b2e14584800c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1ac49c8fd49fdf53d3cd8b77eb8ffda08d7fbe22"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/29968329b926d238e3107ec071a250397555d264"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e2852eda19ee1a400cd809d7a9322680f34a262"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3e3c658055c002900982513e289398a1aad4a488"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7521a97b1929042604bef6859f62fa8b4bbc077b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: XArray: Fix xas_create_range() when multi-order entry present", "id": "2348324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348324"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nXArray: Fix xas_create_range() when multi-order entry present\nIf there is already an entry present that is of order >= XA_CHUNK_SHIFT\nwhen we call xas_create_range(), xas_create_range() will misinterpret\nthat entry as a node and dereference xa_node->parent, generally leading\nto a crash that looks something like this:\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001:\n0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0\nRIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline]\nRIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725\nIt's deterministically reproducable once you know what the problem is,\nbut producing it in a live kernel requires khugepaged to hit a race.\nWhile the problem has been present since xas_create_range() was\nintroduced, I'm not aware of a way to hit it before the page cache was\nconverted to use multi-index entries."], "name": "CVE-2022-49152", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49152\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49152\nhttps://lore.kernel.org/linux-cve-announce/2025022609-CVE-2022-49152-7f28@gregkh/T"], "threat_severity": "Low"}