{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49401", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.565Z", "datePublished": "2025-02-26T02:12:28.603Z", "dateUpdated": "2025-05-04T08:36:53.713Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:36:53.713Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_owner: use strscpy() instead of strlcpy()\n\ncurrent->comm[] is not a string (no guarantee for a zero byte in it).\n\nstrlcpy(s1, s2, l) is calling strlen(s2), potentially\ncausing out-of-bound access, as reported by syzbot:\n\ndetected buffer overflow in __fortify_strlen\n------------[ cut here ]------------\nkernel BUG at lib/string_helpers.c:980!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980\nCode: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a\nRSP: 0018:ffffc900000074a8 EFLAGS: 00010286\n\nRAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000\nRDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87\nRBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000\nR10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700\nR13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nCall Trace:\n <IRQ>\n __fortify_strlen include/linux/fortify-string.h:128 [inline]\n strlcpy include/linux/fortify-string.h:143 [inline]\n __set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171\n __set_page_owner+0x3e/0x50 mm/page_owner.c:190\n prep_new_page mm/page_alloc.c:2441 [inline]\n get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182\n __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408\n alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272\n alloc_slab_page mm/slub.c:1799 [inline]\n allocate_slab+0x26c/0x3c0 mm/slub.c:1944\n new_slab mm/slub.c:2004 [inline]\n ___slab_alloc+0x8df/0xf20 mm/slub.c:3005\n __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092\n slab_alloc_node mm/slub.c:3183 [inline]\n slab_alloc mm/slub.c:3225 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3232 [inline]\n kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242\n dst_alloc+0x146/0x1f0 net/core/dst.c:92"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/page_owner.c"], "versions": [{"version": "865ed6a3278654ce4a55eb74c5283eeb82ad4699", "lessThan": "5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf", "status": "affected", "versionType": "git"}, {"version": "865ed6a3278654ce4a55eb74c5283eeb82ad4699", "lessThan": "cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["mm/page_owner.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.3", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "5.18.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf"}, {"url": "https://git.kernel.org/stable/c/cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a"}], "title": "mm/page_owner: use strscpy() instead of strlcpy()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_owner: use strscpy() instead of strlcpy()\n\ncurrent->comm[] is not a string (no guarantee for a zero byte in it).\n\nstrlcpy(s1, s2, l) is calling strlen(s2), potentially\ncausing out-of-bound access, as reported by syzbot:\n\ndetected buffer overflow in __fortify_strlen\n------------[ cut here ]------------\nkernel BUG at lib/string_helpers.c:980!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980\nCode: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a\nRSP: 0018:ffffc900000074a8 EFLAGS: 00010286\n\nRAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000\nRDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87\nRBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000\nR10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700\nR13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nCall Trace:\n <IRQ>\n __fortify_strlen include/linux/fortify-string.h:128 [inline]\n strlcpy include/linux/fortify-string.h:143 [inline]\n __set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171\n __set_page_owner+0x3e/0x50 mm/page_owner.c:190\n prep_new_page mm/page_alloc.c:2441 [inline]\n get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182\n __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408\n alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272\n alloc_slab_page mm/slub.c:1799 [inline]\n allocate_slab+0x26c/0x3c0 mm/slub.c:1944\n new_slab mm/slub.c:2004 [inline]\n ___slab_alloc+0x8df/0xf20 mm/slub.c:3005\n __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092\n slab_alloc_node mm/slub.c:3183 [inline]\n slab_alloc mm/slub.c:3225 [inline]\n __kmem_cache_alloc_lru mm/slub.c:3232 [inline]\n kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242\n dst_alloc+0x146/0x1f0 net/core/dst.c:92"}], "id": "CVE-2022-49401", "lastModified": "2025-02-26T07:01:16.660", "metrics": {}, "published": "2025-02-26T07:01:16.660", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"affected_release": [{"advisory": "RHSA-2023:7077", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-513.5.1.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "kernel: mm/page_owner: use strscpy() instead of strlcpy()", "id": "2347828", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347828"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-787", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nmm/page_owner: use strscpy() instead of strlcpy()\ncurrent->comm[] is not a string (no guarantee for a zero byte in it).\nstrlcpy(s1, s2, l) is calling strlen(s2), potentially\ncausing out-of-bound access, as reported by syzbot:\ndetected buffer overflow in __fortify_strlen\n------------[ cut here ]------------\nkernel BUG at lib/string_helpers.c:980!\ninvalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980\nCode: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a\nRSP: 0018:ffffc900000074a8 EFLAGS: 00010286\nRAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000\nRDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87\nRBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000\nR10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700\nR13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600\nCall Trace:\n<IRQ>\n__fortify_strlen include/linux/fortify-string.h:128 [inline]\nstrlcpy include/linux/fortify-string.h:143 [inline]\n__set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171\n__set_page_owner+0x3e/0x50 mm/page_owner.c:190\nprep_new_page mm/page_alloc.c:2441 [inline]\nget_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182\n__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408\nalloc_pages+0x1aa/0x310 mm/mempolicy.c:2272\nalloc_slab_page mm/slub.c:1799 [inline]\nallocate_slab+0x26c/0x3c0 mm/slub.c:1944\nnew_slab mm/slub.c:2004 [inline]\n___slab_alloc+0x8df/0xf20 mm/slub.c:3005\n__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092\nslab_alloc_node mm/slub.c:3183 [inline]\nslab_alloc mm/slub.c:3225 [inline]\n__kmem_cache_alloc_lru mm/slub.c:3232 [inline]\nkmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242\ndst_alloc+0x146/0x1f0 net/core/dst.c:92"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-49401", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49401\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49401\nhttps://lore.kernel.org/linux-cve-announce/2025022651-CVE-2022-49401-2fa3@gregkh/T"], "statement": "Not actual for the any versions of Red Hat Enterprise Linux, because configuration parameter CONFIG_PAGE_OWNER disabled by default. For the Red Hat Enterprise Linux 8 fixed starting from 8.9 version anyway and for the Red Hat Enterprise Linux 9 or later also fixed. There is known reproducer by SyzBot for this bug. The complexity of attack would be high.", "threat_severity": "Moderate"}