CVE-2022-49441

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-49441
In the Linux kernel, the following vulnerability has been resolved: tty: fix deadlock caused by calling printk() under tty_port->lock pty_write() invokes kmalloc() which may invoke a normal printk() to print failure message. This can cause a deadlock in the scenario reported by syz-bot below: CPU0 CPU1 CPU2 ---- ---- ---- lock(console_owner); lock(&port_lock_key); lock(&port->lock); lock(&port_lock_key); lock(&port->lock); lock(console_owner); As commit dbdda842fe96 ("printk: Add console owner and waiter logic to load balance console writes") said, such deadlock can be prevented by using printk_deferred() in kmalloc() (which is invoked in the section guarded by the port->lock). But there are too many printk() on the kmalloc() path, and kmalloc() can be called from anywhere, so changing printk() to printk_deferred() is too complicated and inelegant. Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so that printk() will not be called, and this deadlock problem can be avoided. Syzbot reported the following lockdep error: ====================================================== WARNING: possible circular locking dependency detected 5.4.143-00237-g08ccc19a-dirty #10 Not tainted ------------------------------------------------------ syz-executor.4/29420 is trying to acquire lock: ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline] ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023 but task is already holding lock: ffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&port->lock){-.-.}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 tty_port_tty_get drivers/tty/tty_port.c:288 [inline] <-- lock(&port->lock); tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47 serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767 serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] <-- lock(&port_lock_key); serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870 serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126 __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156 [...] -> #1 (&port_lock_key){-.-.}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198 <-- lock(&port_lock_key); call_console_drivers kernel/printk/printk.c:1819 [inline] console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504 vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024 <-- lock(console_owner); vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394 printk+0xba/0xed kernel/printk/printk.c:2084 register_console+0x8b3/0xc10 kernel/printk/printk.c:2829 univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681 console_init+0x49d/0x6d3 kernel/printk/printk.c:2915 start_kernel+0x5e9/0x879 init/main.c:713 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 -> #0 (console_owner){....}-{0:0}: [...] lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734 console_trylock_spinning kernel/printk/printk.c:1773 ---truncated---

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/04ee31678c128a6cc7bb057ea189a8624ba5a314 Patch
https://git.kernel.org/stable/c/0bcf44903ef4df742dcada86ccaedd25374ffb50 Patch
https://git.kernel.org/stable/c/18ca0d55e8639b911df8aae1b47598b13f9acded Patch
https://git.kernel.org/stable/c/3219ac364ac3d8d30771612a6010f1e0b7fa0a28 Patch
https://git.kernel.org/stable/c/4af21b12a60ed2d3642284f4f85b42d7dc6ac246 Patch
https://git.kernel.org/stable/c/4c253caf9264d2aa47ee806a87986dd8eb91a5d9 Patch
https://git.kernel.org/stable/c/6b9dbedbe3499fef862c4dff5217cf91f34e43b3 Patch
https://git.kernel.org/stable/c/9834b13e8b962caa28fbcf1f422dd82413da4ede Patch
https://git.kernel.org/stable/c/b3c974501d0c32258ae0e04e5cc3fb92383b40f6 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
History

17 Mar 2025, 16:53

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/04ee31678c128a6cc7bb057ea189a8624ba5a314 - () https://git.kernel.org/stable/c/04ee31678c128a6cc7bb057ea189a8624ba5a314 - Patch
References () https://git.kernel.org/stable/c/0bcf44903ef4df742dcada86ccaedd25374ffb50 - () https://git.kernel.org/stable/c/0bcf44903ef4df742dcada86ccaedd25374ffb50 - Patch
References () https://git.kernel.org/stable/c/18ca0d55e8639b911df8aae1b47598b13f9acded - () https://git.kernel.org/stable/c/18ca0d55e8639b911df8aae1b47598b13f9acded - Patch
References () https://git.kernel.org/stable/c/3219ac364ac3d8d30771612a6010f1e0b7fa0a28 - () https://git.kernel.org/stable/c/3219ac364ac3d8d30771612a6010f1e0b7fa0a28 - Patch
References () https://git.kernel.org/stable/c/4af21b12a60ed2d3642284f4f85b42d7dc6ac246 - () https://git.kernel.org/stable/c/4af21b12a60ed2d3642284f4f85b42d7dc6ac246 - Patch
References () https://git.kernel.org/stable/c/4c253caf9264d2aa47ee806a87986dd8eb91a5d9 - () https://git.kernel.org/stable/c/4c253caf9264d2aa47ee806a87986dd8eb91a5d9 - Patch
References () https://git.kernel.org/stable/c/6b9dbedbe3499fef862c4dff5217cf91f34e43b3 - () https://git.kernel.org/stable/c/6b9dbedbe3499fef862c4dff5217cf91f34e43b3 - Patch
References () https://git.kernel.org/stable/c/9834b13e8b962caa28fbcf1f422dd82413da4ede - () https://git.kernel.org/stable/c/9834b13e8b962caa28fbcf1f422dd82413da4ede - Patch
References () https://git.kernel.org/stable/c/b3c974501d0c32258ae0e04e5cc3fb92383b40f6 - () https://git.kernel.org/stable/c/b3c974501d0c32258ae0e04e5cc3fb92383b40f6 - Patch
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: se corrige el bloqueo causado por llamar a printk() bajo tty_port-&gt;lock pty_write() invoca kmalloc() que puede invocar un printk() normal para imprimir un mensaje de error. Esto puede causar un bloqueo en el escenario informado por syz-bot a continuación: CPU0 CPU1 CPU2 ---- ---- ---- lock(console_owner); lock(&amp;port_lock_key); lock(&amp;port-&gt;lock); lock(&amp;port_lock_key); lock(&amp;port-&gt;lock); lock(console_owner); Como dijo el commit dbdda842fe96 ("printk: Agregar lógica de propietario y espera de consola para equilibrar la carga de escrituras de consola"), dicho bloqueo se puede prevenir usando printk_deferred() en kmalloc() (que se invoca en la sección protegida por port-&gt;lock). Pero hay demasiados printk() en la ruta kmalloc() y kmalloc() se puede llamar desde cualquier lugar, por lo que cambiar printk() a printk_deferred() es demasiado complicado y poco elegante. Por lo tanto, este parche elige especificar __GFP_NOWARN en kmalloc(), de modo que no se llame a printk() y se pueda evitar este problema de bloqueo. Syzbot informó el siguiente error de lockdep: ======================================================== ADVERTENCIA: posible dependencia de bloqueo circular detectada 5.4.143-00237-g08ccc19a-dirty #10 Not tainted ------------------------------------------------------ syz-executor.4/29420 is trying to acquire lock: ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline] ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023 but task is already holding lock: ffff8880119c9158 (&amp;port-&gt;lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -&gt; #2 (&amp;port-&gt;lock){-.-.}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 tty_port_tty_get drivers/tty/tty_port.c:288 [inline] &lt;-- lock(&amp;port-&gt;lock); tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47 serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767 serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854 serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline] &lt;-- lock(&amp;port_lock_key); serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870 serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126 __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156 [...] -&gt; #1 (&amp;port_lock_key){-.-.}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198 &lt;-- lock(&amp;port_lock_key); call_console_drivers kernel/printk/printk.c:1819 [inline] console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504 vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024 &lt;-- lock(console_owner); vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394 printk+0xba/0xed kernel/printk/printk.c:2084 register_console+0x8b3/0xc10 kernel/printk/printk.c:2829 univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681 console_init+0x49d/0x6d3 kernel/printk/printk.c:2915 start_kernel+0x5e9/0x879 init/main.c:713 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241 -&gt; #0 (console_owner){....}-{0:0}: [...] lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734 console_trylock_spinning kernel/printk/printk.c:1773 ---truncated---
CWE CWE-667

26 Feb 2025, 07:01

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-26 07:01

Updated : 2025-03-17 16:53

NVD link : CVE-2022-49441

Mitre link : CVE-2022-49441

CVE.ORG link : CVE-2022-49441

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-667

Improper Locking