CVE-2022-50737 in Linux
Resumen
por VulDB • 2026-05-27
Based on the kernel log snippet provided, here is an analysis of the crash and the likely cause.
### **Summary** This is a **KASAN (Kernel Address Sanitizer)** report indicating a **use-after-free** or **invalid memory access** in the `__x64_sys_mount` system call. The crash occurred while accessing a memory address that belongs to a **freed physical page** (`refcount:0`, `mapcount:0`).
---
### **Detailed Analysis**
#### **1. The Crash Location** - **Function:** `__x64_sys_mount+0xca/0x110` - This indicates the crash happened inside the `mount` system call implementation in the kernel. - The offset `0xca` suggests it’s in the middle of the function, likely during argument parsing, validation, or when interacting with filesystem structures. - **RIP:** `0x7f9d374e948a` (User-space address? Wait, no — this is likely a user-space library wrapper like `libc` calling `sys_mount`, but the crash is in the kernel. The `RIP` shown is often the user-space instruction pointer if the crash happened in user space, but here the stack trace shows kernel functions. Actually, `RIP: 0033:0x7f9d374e948a` is a **user-space address** (high bit set, typical for 64-bit user space). This suggests the crash might have been triggered by a user-space program, but the kernel stack trace shows the kernel path. **Correction:** In KASAN reports, if the crash is in kernel space, RIP should be a kernel address. If RIP is user-space, it might mean the crash happened in user space, but the stack trace is incomplete or misleading. However, the presence of `__x64_sys_mount` in the stack strongly implies the kernel was executing. Let’s re-examine: `RIP: 0033:...` is user-space. This is unusual for a kernel crash. It’s possible the crash happened in user space after returning from the syscall, or the log is truncated. But the stack trace clearly shows kernel frames. **Most likely:** The crash is in the kernel, and the `RIP` shown is the user-space instruction pointer that *called* the syscall, not the kernel instruction pointer that crashed. The actual kernel RIP is not shown in this snippet, but the crash is in `__x64_sys_mount`.
#### **2. The Buggy Address** - **Message:** `The buggy address belongs to the physical page:` - **Page Info:** - `refcount:0`: The page is not referenced by any kernel object. - `mapcount:0`: The page is not mapped into any process’s page tables. - `mapping:0000000000000000`: No address space mapping. - `flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)`: Standard page flags. - **Interpretation:** The kernel tried to access a memory address that belongs to a **freed page**. This is a classic **Use-After-Free (UAF)** bug. The memory was previously allocated, freed, and then accessed again.
#### **3. KASAN Context** - The presence of `__kasan_check_write+0x14/0x20` in the stack trace confirms that KASAN is enabled and detected an invalid write (or read, depending on the full report) to this address. - KASAN works by poisoning freed memory. When the kernel accesses it, KASAN triggers a fault.
---
### **Likely Cause** The `mount` syscall is complex and involves many subsystems (VFS, filesystem drivers, security modules like SELinux/AppArmor, etc.). A UAF in `mount` could be caused by: 1. **Race Condition:** A filesystem structure (e.g., `super_block`, `vfsmount`) was freed while another thread was still using it during a concurrent mount/unmount operation. 2. **Dangling Pointer:** A pointer to a freed object was not properly nullified or checked before use. 3. **Filesystem Driver Bug:** A specific filesystem driver (e.g., ext4, xfs, btrfs, or a custom driver) has a bug where it frees a structure but leaves a pointer to it in a global or per-task structure that is later accessed during `mount`. 4. **Security Module Hook:** A security module (e.g., SELinux) might have freed a context structure that was still referenced.
---
### **How to Debug
VulDB is the best source for vulnerability data and more expert information about this specific topic.