Wind River Support Network

HomeDefectsLIN1022-18087
Fixed

LIN1022-18087 : Security Advisory - linux - CVE-2022-50516

Created: Oct 9, 2025    Updated: Oct 10, 2025
Resolved Date: Oct 10, 2025
Found In Version: 10.22.33.1
Fix Version: 10.22.33.3
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]fs: dlm: fix invalid derefence of sb_lvbptr[EOL][EOL]I experience issues when putting a lkbsb on the stack and have sb_lvbptr[EOL]field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash[EOL]with the following kernel message, the dangled pointer is here[EOL]0xdeadbeef as example:[EOL][EOL][  102.749317] BUG: unable to handle page fault for address: 00000000deadbeef[EOL][  102.749320] #PF: supervisor read access in kernel mode[EOL][  102.749323] #PF: error_code(0x0000) - not-present page[EOL][  102.749325] PGD 0 P4D 0[EOL][  102.749332] Oops: 0000 [#1] PREEMPT SMP PTI[EOL][  102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G        W         5.19.0-rc3+ #1565[EOL][  102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014[EOL][  102.749344] RIP: 0010:memcpy_erms+0x6/0x10[EOL][  102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe[EOL][  102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202[EOL][  102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040[EOL][  102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070[EOL][  102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001[EOL][  102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70[EOL][  102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001[EOL][  102.749368] FS:  0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000[EOL][  102.749372] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL][  102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0[EOL][  102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[EOL][  102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[EOL][  102.749379] PKRU: 55555554[EOL][  102.749381] Call Trace:[EOL][  102.749382]  <TASK>[EOL][  102.749383]  ? send_args+0xb2/0xd0[EOL][  102.749389]  send_common+0xb7/0xd0[EOL][  102.749395]  _unlock_lock+0x2c/0x90[EOL][  102.749400]  unlock_lock.isra.56+0x62/0xa0[EOL][  102.749405]  dlm_unlock+0x21e/0x330[EOL][  102.749411]  ? lock_torture_stats+0x80/0x80 [dlm_locktorture][EOL][  102.749416]  torture_unlock+0x5a/0x90 [dlm_locktorture][EOL][  102.749419]  ? preempt_count_sub+0xba/0x100[EOL][  102.749427]  lock_torture_writer+0xbd/0x150 [dlm_locktorture][EOL][  102.786186]  kthread+0x10a/0x130[EOL][  102.786581]  ? kthread_complete_and_exit+0x20/0x20[EOL][  102.787156]  ret_from_fork+0x22/0x30[EOL][  102.787588]  </TASK>[EOL][  102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw[EOL][  102.792536] CR2: 00000000deadbeef[EOL][  102.792930] ---[ end trace 0000000000000000 ]---[EOL][EOL]This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags[EOL]is set when copying the lvbptr array instead of if it's just null which[EOL]fixes for me the issue.[EOL][EOL]I think this patch can fix other dlm users as well, depending how they[EOL]handle the init, freeing memory handling of sb_lvbptr and don't set[EOL]DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a[EOL]hidden issue all the time. However with checking on DLM_LKF_VALBLK the[EOL]user always need to provide a sb_lvbptr non-null value. There might be[EOL]more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and[EOL]non-null to report the user the way how DLM API is used is wrong but can[EOL]be added for later, this will only fix the current behaviour.

CVEs


Live chat
Online