CVE-2022-49767: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: always use O_NONBLOCK read/write syzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is failing to interrupt already started kernel_read() from p9_fd_read() from p9_read_work() and/or kernel_write() from p9_fd_write() from p9_write_work() requests. Since p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not need to interrupt kernel_read()/kernel_write(). However, since p9_fd_open() does not set O_NONBLOCK flag, but pipe blocks unless signal is pending, p9_mux_poll_stop() needs to interrupt kernel_read()/kernel_write() when the file descriptor refers to a pipe. In other words, pipe file descriptor needs to be handled as if socket file descriptor. We somehow need to interrupt kernel_read()/kernel_write() on pipes. A minimal change, which this patch is doing, is to set O_NONBLOCK flag from p9_fd_open(), for O_NONBLOCK flag does not affect reading/writing of regular files. But this approach changes O_NONBLOCK flag on userspace- supplied file descriptors (which might break userspace programs), and O_NONBLOCK flag could be changed by userspace. It would be possible to set O_NONBLOCK flag every time p9_fd_read()/p9_fd_write() is invoked, but still remains small race window for clearing O_NONBLOCK flag. If we don't want to manipulate O_NONBLOCK flag, we might be able to surround kernel_read()/kernel_write() with set_thread_flag(TIF_SIGPENDING) and recalc_sigpending(). Since p9_read_work()/p9_write_work() works are processed by kernel threads which process global system_wq workqueue, signals could not be delivered from remote threads when p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is called. Therefore, calling set_thread_flag(TIF_SIGPENDING)/recalc_sigpending() every time would be needed if we count on signals for making kernel_read()/kernel_write() non-blocking. [Dominique: add comment at Christian's suggestion]
AI Analysis
Technical Summary
CVE-2022-49767 is a vulnerability identified in the Linux kernel's 9p filesystem implementation, specifically related to the handling of file descriptors in the 9p protocol's trans_fd component. The issue arises because the kernel_read() and kernel_write() operations on pipes do not get properly interrupted due to the absence of the O_NONBLOCK flag on pipe file descriptors opened via p9_fd_open(). While socket file descriptors opened via p9_socket_open() correctly set the O_NONBLOCK flag, pipes do not, causing kernel_read()/kernel_write() calls to potentially hang indefinitely when the p9_mux_poll_stop() function attempts to interrupt these operations during connection teardown (p9_conn_destroy()). This can lead to hung tasks in the kernel, impacting system stability and responsiveness. The patch to fix this vulnerability involves setting the O_NONBLOCK flag on pipe file descriptors in p9_fd_open(), ensuring that read/write operations do not block indefinitely. However, this fix may alter the behavior of user-supplied file descriptors and could potentially break some user-space programs that rely on blocking behavior. Alternative approaches discussed include manipulating thread flags to simulate signal pending states to interrupt blocking calls, but these are more complex and less straightforward. Overall, this vulnerability is a kernel-level issue affecting the 9p filesystem protocol's handling of pipes, which could cause kernel hangs and degraded system performance or denial of service conditions.
Potential Impact
For European organizations, the impact of CVE-2022-49767 primarily centers on system stability and availability. Linux is widely used across European enterprises, public sector institutions, and critical infrastructure, often as the backbone of servers, cloud environments, and embedded systems. Systems utilizing the 9p filesystem protocol, commonly in virtualized or containerized environments (e.g., QEMU/KVM virtual machines using 9p for file sharing), are particularly at risk. A hung kernel task due to this vulnerability can lead to denial of service conditions, affecting critical applications and services. This could disrupt business operations, especially in sectors reliant on high availability such as finance, telecommunications, healthcare, and government services. While there is no indication of direct exploitation for privilege escalation or data breach, the denial of service impact can indirectly affect confidentiality and integrity by causing system crashes or forced reboots. Additionally, the potential breakage of user-space programs due to the patch's change in file descriptor behavior may require careful testing before deployment in production environments.
Mitigation Recommendations
To mitigate CVE-2022-49767, European organizations should: 1) Apply the official Linux kernel patch that sets the O_NONBLOCK flag on pipe file descriptors in the 9p trans_fd component as soon as it is available and tested. 2) Conduct thorough regression testing in staging environments to identify any user-space applications that might be affected by the change in blocking behavior of file descriptors, adjusting application logic if necessary. 3) Monitor systems using 9p filesystem mounts, especially in virtualized environments, for signs of hung tasks or kernel stalls. 4) Consider implementing kernel-level monitoring tools that can detect and alert on hung kernel threads related to 9p operations. 5) For environments where patching is delayed, limit exposure by restricting the use of 9p filesystem sharing or isolating affected virtual machines. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service incidents caused by this vulnerability. 7) Engage with Linux distribution vendors for backported patches and security advisories relevant to their specific kernel versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-49767: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: always use O_NONBLOCK read/write syzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is failing to interrupt already started kernel_read() from p9_fd_read() from p9_read_work() and/or kernel_write() from p9_fd_write() from p9_write_work() requests. Since p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not need to interrupt kernel_read()/kernel_write(). However, since p9_fd_open() does not set O_NONBLOCK flag, but pipe blocks unless signal is pending, p9_mux_poll_stop() needs to interrupt kernel_read()/kernel_write() when the file descriptor refers to a pipe. In other words, pipe file descriptor needs to be handled as if socket file descriptor. We somehow need to interrupt kernel_read()/kernel_write() on pipes. A minimal change, which this patch is doing, is to set O_NONBLOCK flag from p9_fd_open(), for O_NONBLOCK flag does not affect reading/writing of regular files. But this approach changes O_NONBLOCK flag on userspace- supplied file descriptors (which might break userspace programs), and O_NONBLOCK flag could be changed by userspace. It would be possible to set O_NONBLOCK flag every time p9_fd_read()/p9_fd_write() is invoked, but still remains small race window for clearing O_NONBLOCK flag. If we don't want to manipulate O_NONBLOCK flag, we might be able to surround kernel_read()/kernel_write() with set_thread_flag(TIF_SIGPENDING) and recalc_sigpending(). Since p9_read_work()/p9_write_work() works are processed by kernel threads which process global system_wq workqueue, signals could not be delivered from remote threads when p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is called. Therefore, calling set_thread_flag(TIF_SIGPENDING)/recalc_sigpending() every time would be needed if we count on signals for making kernel_read()/kernel_write() non-blocking. [Dominique: add comment at Christian's suggestion]
AI-Powered Analysis
Technical Analysis
CVE-2022-49767 is a vulnerability identified in the Linux kernel's 9p filesystem implementation, specifically related to the handling of file descriptors in the 9p protocol's trans_fd component. The issue arises because the kernel_read() and kernel_write() operations on pipes do not get properly interrupted due to the absence of the O_NONBLOCK flag on pipe file descriptors opened via p9_fd_open(). While socket file descriptors opened via p9_socket_open() correctly set the O_NONBLOCK flag, pipes do not, causing kernel_read()/kernel_write() calls to potentially hang indefinitely when the p9_mux_poll_stop() function attempts to interrupt these operations during connection teardown (p9_conn_destroy()). This can lead to hung tasks in the kernel, impacting system stability and responsiveness. The patch to fix this vulnerability involves setting the O_NONBLOCK flag on pipe file descriptors in p9_fd_open(), ensuring that read/write operations do not block indefinitely. However, this fix may alter the behavior of user-supplied file descriptors and could potentially break some user-space programs that rely on blocking behavior. Alternative approaches discussed include manipulating thread flags to simulate signal pending states to interrupt blocking calls, but these are more complex and less straightforward. Overall, this vulnerability is a kernel-level issue affecting the 9p filesystem protocol's handling of pipes, which could cause kernel hangs and degraded system performance or denial of service conditions.
Potential Impact
For European organizations, the impact of CVE-2022-49767 primarily centers on system stability and availability. Linux is widely used across European enterprises, public sector institutions, and critical infrastructure, often as the backbone of servers, cloud environments, and embedded systems. Systems utilizing the 9p filesystem protocol, commonly in virtualized or containerized environments (e.g., QEMU/KVM virtual machines using 9p for file sharing), are particularly at risk. A hung kernel task due to this vulnerability can lead to denial of service conditions, affecting critical applications and services. This could disrupt business operations, especially in sectors reliant on high availability such as finance, telecommunications, healthcare, and government services. While there is no indication of direct exploitation for privilege escalation or data breach, the denial of service impact can indirectly affect confidentiality and integrity by causing system crashes or forced reboots. Additionally, the potential breakage of user-space programs due to the patch's change in file descriptor behavior may require careful testing before deployment in production environments.
Mitigation Recommendations
To mitigate CVE-2022-49767, European organizations should: 1) Apply the official Linux kernel patch that sets the O_NONBLOCK flag on pipe file descriptors in the 9p trans_fd component as soon as it is available and tested. 2) Conduct thorough regression testing in staging environments to identify any user-space applications that might be affected by the change in blocking behavior of file descriptors, adjusting application logic if necessary. 3) Monitor systems using 9p filesystem mounts, especially in virtualized environments, for signs of hung tasks or kernel stalls. 4) Consider implementing kernel-level monitoring tools that can detect and alert on hung kernel threads related to 9p operations. 5) For environments where patching is delayed, limit exposure by restricting the use of 9p filesystem sharing or isolating affected virtual machines. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service incidents caused by this vulnerability. 7) Engage with Linux distribution vendors for backported patches and security advisories relevant to their specific kernel versions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T07:17:33.804Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982cc4522896dcbe4ae0
Added to database: 5/21/2025, 9:09:00 AM
Last enriched: 6/30/2025, 1:12:38 AM
Last updated: 8/12/2025, 4:07:35 PM
Views: 14
Related Threats
CVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumCVE-2025-43201: An app may be able to unexpectedly leak a user's credentials in Apple Apple Music Classical for Android
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.