CVE-2022-49465

High

Published: 26 February 2025

Published

26 February 2025

Modified

21 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: blk-throttle: Set BIO_THROTTLED when bio has been throttled 1.In current process, all bio will set the BIO_THROTTLED flag after __blk_throtl_bio(). 2.If bio needs to be throttled, it will start the timer and stop submit bio directly. Bio will submit in blk_throtl_dispatch_work_fn() when the timer expires.But in the current process, if bio is throttled. The BIO_THROTTLED will be set to bio after timer start. If the bio has been completed, it may cause use-after-free blow. BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70 Read of size 2 at addr ffff88801b8902d4 by task fio/26380 dump_stack+0x9b/0xce print_address_description.constprop.6+0x3e/0x60 kasan_report.cold.9+0x22/0x3a blk_throtl_bio+0x12f0/0x2c70 submit_bio_checks+0x701/0x1550 submit_bio_noacct+0x83/0xc80 submit_bio+0xa7/0x330 mpage_readahead+0x380/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 26380: kasan_save_stack+0x19/0x40 __kasan_kmalloc.constprop.2+0xc1/0xd0 kmem_cache_alloc+0x146/0x440 mempool_alloc+0x125/0x2f0 bio_alloc_bioset+0x353/0x590 mpage_alloc+0x3b/0x240 do_mpage_readpage+0xddf/0x1ef0 mpage_readahead+0x264/0x500 read_pages+0x1c1/0xbf0 page_cache_ra_unbounded+0x471/0x6f0 do_page_cache_ra+0xda/0x110 ondemand_readahead+0x442/0xae0 page_cache_async_ra+0x210/0x300 generic_file_buffered_read+0x4d9/0x2130 generic_file_read_iter+0x315/0x490 blkdev_read_iter+0x113/0x1b0 aio_read+0x2ad/0x450 io_submit_one+0xc8e/0x1d60 __se_sys_io_submit+0x125/0x350 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 0: kasan_save_stack+0x19/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x1b/0x30 __kasan_slab_free+0x111/0x160 kmem_cache_free+0x94/0x460 mempool_free+0xd6/0x320 bio_free+0xe0/0x130 bio_put+0xab/0xe0 bio_endio+0x3a6/0x5d0 blk_update_request+0x590/0x1370 scsi_end_request+0x7d/0x400 scsi_io_completion+0x1aa/0xe50 scsi_softirq_done+0x11b/0x240 blk_mq_complete_request+0xd4/0x120 scsi_mq_done+0xf0/0x200 virtscsi_vq_done+0xbc/0x150 vring_interrupt+0x179/0x390 __handle_irq_event_percpu+0xf7/0x490 handle_irq_event_percpu+0x7b/0x160 handle_irq_event+0xcc/0x170 handle_edge_irq+0x215/0xb20 common_interrupt+0x60/0x120 asm_common_interrupt+0x1e/0x40 Fix this by move BIO_THROTTLED set into the queue_lock.

Security Summary

CVE-2022-49465 is a use-after-free vulnerability in the Linux kernel's blk-throttle subsystem. The issue arises because the BIO_THROTTLED flag is set on a bio after the __blk_throtl_bio() function, even if the bio needs throttling. When throttled, the bio starts a timer and is not immediately submitted, but the flag is set prematurely. If the bio completes before the timer expires—such as during read-ahead operations—it can lead to a use-after-free when blk_throtl_bio() later accesses the freed bio, as detected by KASAN in scenarios involving asynchronous I/O submissions like fio tasks on block devices.

A local attacker with low privileges can exploit this vulnerability due to its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation requires running on the affected system and triggering block I/O operations under throttling conditions, such as during page read-ahead or aio_read on throttled block devices. Successful exploitation of the use-after-free (CWE-416) could allow the attacker to achieve high-impact confidentiality, integrity, and availability violations, potentially including kernel code execution or system crashes.

The vulnerability is fixed in Linux kernel stable releases via commits that move the setting of the BIO_THROTTLED flag inside the queue_lock to prevent the race condition. Relevant patches are available at https://git.kernel.org/stable/c/047ea38d41d90d748bca812a43339632f52ba715, https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4, https://git.kernel.org/stable/c/24ba80efaf6e772f6132465fad08e20fb4767da7, https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f, and https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290. Security practitioners should ensure systems apply these updates to mitigate the risk.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

≤ 5.10.248 · 5.11 — 5.15.198 · 5.16 — 5.17.14

References

https://git.kernel.org/stable/c/047ea38d41d90d748bca812a43339632f52ba715
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/0cfc8a0fb07cde61915e4a77c4794c47de3114a4
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/24ba80efaf6e772f6132465fad08e20fb4767da7
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5a011f889b4832aa80c2a872a5aade5c48d2756f
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/935fa666534d7b7185e8c6b0191cd06281be4290
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67