CVE-2022-48937 in Linux정보

요약

\~에 의해 VulDB • 2026. 06. 05.

Based on the stack trace provided, here is an analysis of the issue:

### **Summary** This is a **KASAN (Kernel Address Sanitizer)** report indicating a **memory allocation failure** or **invalid memory access** during an `io_uring` operation. Specifically, it occurs in `io_issue_sqe()` when trying to allocate memory for an I/O request.

---

### **Key Details from the Stack Trace**

1. **Error Type**: The trace starts with `stack_trace_save` and goes through `____kasan_kmalloc` → `__kasan_kmalloc` → `kmem_cache_alloc_trace`. This indicates KASAN detected an issue during a `kmalloc` (or slab allocation) call.

2. **Failing Function**: The allocation happens in: ``` io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828) ``` This function is responsible for issuing a submitted I/O request (SQE) to the kernel.

3. **Call Path**: ``` __x64_sys_io_uring_enter → io_submit_sqes → io_submit_sqe → io_queue_sqe → io_issue_sqe → kmalloc ``` This is the standard path for submitting an `io_uring` request via the `io_uring_enter` syscall.

4. **Allocation Context**: The allocation is likely for an `io_kiocb` (kernel I/O control block) or a related structure. The function `__io_alloc_req_refill` is also in the trace, suggesting the kernel is trying to replenish its pool of request structures.

---

### **Possible Causes**

1. **Memory Pressure**: The system may be under severe memory pressure, causing `kmalloc` to fail. KASAN might be reporting this as an error if the allocation returns `NULL` and the code doesn’t handle it properly.

2. **Use-After-Free or Double-Free**: If KASAN is enabled, it might be detecting that the allocation is happening in an invalid context (e.g., after a previous free). However, the trace shows a fresh allocation, so this is less likely unless there’s corruption.

3. **Bug in `io_uring` Code**: There might be a bug in the `io_uring` subsystem where it attempts to allocate memory in an invalid context (e.g., in an atomic context where sleeping is not allowed, or with incorrect flags).

4. **KASAN False Positive**: In rare cases, KASAN can report false positives if there’s a race condition or if the memory was recently freed but not yet zeroed.

---

### **How to Debug Further**

1. **Check for OOM (Out of Memory)**: Look for OOM killer messages in `dmesg`: ```bash dmesg | grep -i "out of memory" ```

2. **Enable More KASAN Details**: Reboot with `kasan=on` and `kasan.inline=on` to get more precise error locations.

3. **Check `io_uring` Logs**: Look for any `io_uring`-specific warnings or errors in `dmesg`: ```bash dmesg | grep -i io_uring ```

4. **Reproduce with Minimal Test Case**: Try to reproduce the issue with a minimal `io_uring` program to isolate the problem.

5. **Check Kernel Version**: Ensure you’re using a recent kernel version, as `io_uring` has had many bug fixes. Consider upgrading if possible.

6. **Disable KASAN Temporarily**: If you suspect a false positive, try reproducing the issue without KASAN to see if the problem persists.

---

### **Conclusion** The stack trace indicates a memory allocation failure in `io_uring`’s `io_issue_sqe()` function. This is likely due to memory pressure or a bug in the `io_uring` subsystem. Further debugging with KASAN details and system logs is recommended to pinpoint the exact cause.

Be aware that VulDB is the high quality source for vulnerability data.

책임이 있는

Linux

예약하다

2024. 08. 22.

모더레이션

수락

항목

VDB-275491

EPSS

0.00160

출처

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!