CVE-2022-49810 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

netfs: Fix missing xas_retry() calls in xarray iteration

netfslib has a number of places in which it performs iteration of an xarray whilst being under the RCU read lock. It *should* call xas_retry() as the first thing inside of the loop and do "continue" if it returns true in case the xarray walker passed out a special value indicating that the walk needs to be redone from the root[*].

Fix this by adding the missing retry checks.

[*] I wonder if this should be done inside xas_find(), xas_next_node() and
suchlike, but I'm told that's not an simple change to effect.

This can cause an oops like that below. Note the faulting address - this is an internal value (|0x2) returned from xarray.

BUG: kernel NULL pointer dereference, address: 0000000000000402 ... RIP: 0010:netfs_rreq_unlock+0xef/0x380 [netfs]
... Call Trace: netfs_rreq_assess+0xa6/0x240 [netfs]
netfs_readpage+0x173/0x3b0 [netfs]
? init_wait_var_entry+0x50/0x50 filemap_read_page+0x33/0xf0 filemap_get_pages+0x2f2/0x3f0 filemap_read+0xaa/0x320 ? do_filp_open+0xb2/0x150 ? rmqueue+0x3be/0xe10 ceph_read_iter+0x1fe/0x680 [ceph]
? new_sync_read+0x115/0x1a0 new_sync_read+0x115/0x1a0 vfs_read+0xf3/0x180 ksys_read+0x5f/0xe0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae

Changes: ======== ver #2) - Changed an unsigned int to a size_t to reduce the likelihood of an overflow as per Willy's suggestion. - Added an additional patch to fix the maths.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/07/2025

The vulnerability CVE-2022-49810 represents a critical flaw in the Linux kernel's netfs subsystem that stems from improper handling of xarray iteration under RCU read locks. This issue specifically affects the netfslib component which manages network file system operations and relies on xarray data structures for efficient memory management. The root cause lies in missing xas_retry() calls during xarray iteration processes, creating a scenario where the iteration logic fails to properly handle concurrent modifications to the xarray structure. When the xarray walker returns special internal values indicating that the iteration must be restarted from the root, the absence of proper retry checks leads to invalid memory access patterns.

The technical implementation flaw manifests when the kernel attempts to process network file system requests through the netfs subsystem. During these operations, the code performs xarray iteration while holding RCU read locks, but fails to invoke xas_retry() as the initial check within the iteration loop. This omission results in the code proceeding with stale or invalid iterator states, ultimately causing a kernel NULL pointer dereference. The faulting address 0x402 in the reported oops demonstrates this issue where an internal xarray value is being dereferenced, indicating that the iteration logic has encountered a special marker value that should trigger a restart of the iteration process.

The operational impact of this vulnerability is severe as it can lead to kernel panics and system crashes through kernel NULL pointer dereferences, effectively causing denial of service conditions for network file system operations. The vulnerability affects systems utilizing Ceph and other network file systems that depend on the netfs subsystem for their functionality. Attackers could potentially exploit this condition to cause system instability or force kernel crashes, particularly when performing read operations on network file systems. The vulnerability is particularly concerning because it operates at the kernel level where such faults can compromise entire system operations and potentially provide pathways for privilege escalation attacks.

The fix implemented addresses this issue by adding the missing xas_retry() calls at the beginning of xarray iteration loops within the netfs subsystem. This ensures that when the xarray walker returns special values indicating iteration restart requirements, the code properly handles these conditions by continuing the loop rather than proceeding with invalid state. The patch also includes additional improvements such as changing an unsigned int to size_t to prevent potential integer overflow scenarios and adding supplementary fixes to address mathematical calculations that could contribute to the vulnerability. This remediation aligns with best practices for concurrent data structure access patterns and follows the established kernel development principles for handling RCU-protected data structures. The solution directly addresses the CWE-362 weakness category related to race conditions in concurrent programming, specifically targeting the improper handling of shared data structures under concurrent access conditions.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00140

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!