CVE-2022-49720 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
block: Fix handling of offline queues in blk_mq_alloc_request_hctx()
This patch prevents that test nvme/004 triggers the following:
UBSAN: array-index-out-of-bounds in block/blk-mq.h:135:9 index 512 is out of range for type 'long unsigned int [512]'
Call Trace: show_stack+0x52/0x58 dump_stack_lvl+0x49/0x5e dump_stack+0x10/0x12 ubsan_epilogue+0x9/0x3b __ubsan_handle_out_of_bounds.cold+0x44/0x49 blk_mq_alloc_request_hctx+0x304/0x310 __nvme_submit_sync_cmd+0x70/0x200 [nvme_core]
nvmf_connect_io_queue+0x23e/0x2a0 [nvme_fabrics]
nvme_loop_connect_io_queues+0x8d/0xb0 [nvme_loop]
nvme_loop_create_ctrl+0x58e/0x7d0 [nvme_loop]
nvmf_create_ctrl+0x1d7/0x4d0 [nvme_fabrics]
nvmf_dev_write+0xae/0x111 [nvme_fabrics]
vfs_write+0x144/0x560 ksys_write+0xb7/0x140 __x64_sys_write+0x42/0x50 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability CVE-2022-49720 represents a critical array index out-of-bounds error within the Linux kernel's block layer subsystem, specifically affecting the nvme driver implementation. This issue manifests in the blk_mq_alloc_request_hctx() function where an improper bounds check leads to memory corruption when handling offline queues during NVMe I/O operations. The vulnerability is particularly significant as it occurs during the normal operation of NVMe storage controllers and can be triggered through standard NVMe fabric connections, making it exploitable in real-world scenarios. The UBSAN (Undefined Behavior Sanitizer) detection confirms the precise location of the fault at line 135 in block/blk-mq.h where an index value of 512 exceeds the bounds of a long unsigned int array with 512 elements, effectively creating a buffer overflow condition.
The technical flaw stems from inadequate validation of queue indices when allocating hardware context requests for NVMe controllers. During NVMe fabric connection establishment, particularly when connecting I/O queues through functions like nvmf_connect_io_queue and nvme_loop_connect_io_queues, the kernel attempts to allocate request structures for hardware contexts without proper bounds checking. The call trace demonstrates this progression from user-space write operations through the kernel's file system layer down to the NVMe core drivers, ultimately failing within the blk_mq_alloc_request_hctx function. This function operates within the context of the block multi-queue subsystem (blk-mq) which manages concurrent I/O operations across multiple hardware queues, and the failure occurs when attempting to access array elements beyond the allocated memory boundaries.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and system instability. When the out-of-bounds access occurs, it can corrupt adjacent memory regions, potentially affecting kernel data structures, function pointers, or other critical system components. The vulnerability affects NVMe storage systems that utilize the Linux kernel's NVMe fabric implementation, which includes both direct NVMe over PCIe connections and NVMe over Fabrics (NVMf) implementations. Attackers could potentially exploit this through crafted I/O operations or by establishing malicious NVMe fabric connections, though the exact exploitation vector would depend on the specific system configuration and attack surface. The vulnerability's classification aligns with CWE-129: Improper Validation of Array Index, which specifically addresses the lack of bounds checking in array access operations.
Mitigation strategies for this vulnerability require immediate kernel updates to apply the patch that resolves the array bounds checking issue in blk_mq_alloc_request_hctx(). System administrators should prioritize applying the patched kernel version to all systems running affected NVMe storage configurations, particularly those utilizing NVMe fabrics or loopback connections. Additionally, monitoring for UBSAN reports or kernel oops messages related to array index out-of-bounds errors should be implemented as early detection mechanisms. The fix specifically addresses the root cause by ensuring proper validation of queue indices before array access, preventing the scenario where a 512-element array could be accessed with an index of 512. Organizations should also consider implementing kernel lockdown mechanisms and restricting NVMe fabric connections to trusted networks as additional defensive measures. This vulnerability's presence in the Linux kernel's core block layer underscores the importance of maintaining up-to-date system firmware and kernel versions, as such issues can provide attackers with opportunities to compromise system integrity and availability through carefully crafted storage I/O operations.