CVE-2022-49413

CVE-2022-49413 is a use-after-free vulnerability (CWE-416) in the Linux kernel's BFQ I/O scheduler. The issue arises in the bfq_merge_bio() function, which can operate with stale cgroup information stored in the block I/O context (bic). This staleness occurs when a process migrates to a different cgroup or when writeback begins submitting I/O operations (bios) associated with a different cgroup. As a result, bios may merge with requests from unrelated cgroups, or bfqq queues from different or already terminated cgroups may merge, leading to potential use-after-free memory corruption. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by inducing cgroup migrations or writeback scenarios involving mismatched cgroups. This triggers improper bio or queue merging in the kernel, enabling use-after-free access to freed memory. Successful exploitation could allow the attacker to achieve high-impact confidentiality, integrity, and availability effects, such as arbitrary code execution, privilege escalation, or system crashes.

Mitigation involves applying upstream patches that update cgroup information in bfq_merge_bio() prior to merging bios. Relevant stable kernel commits include 2a1077f17169a6059992a0bbdb330e0abad1e6d9, b06691af08b41dfd81052a3362514d9827b44bb1, d9165200c5627a2cf4408eefabdf0058bdf95e1a, da9f3025d595956410ceaab2bea01980d7775948, and e8821f45612f2e6d9adb9c6ba0fb4184f57692aa, available via git.kernel.org. Security practitioners should update affected Linux kernels to incorporate these fixes.