{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-48847","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-16T11:38:08.911Z","datePublished":"2024-07-16T12:25:15.804Z","dateUpdated":"2025-05-04T08:24:39.088Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:24:39.088Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix filter limit check\n\nIn watch_queue_set_filter(), there are a couple of places where we check\nthat the filter type value does not exceed what the type_filter bitmap\ncan hold.  One place calculates the number of bits by:\n\n   if (tf[i].type >= sizeof(wfilter->type_filter) * 8)\n\nwhich is fine, but the second does:\n\n   if (tf[i].type >= sizeof(wfilter->type_filter) * BITS_PER_LONG)\n\nwhich is not.  This can lead to a couple of out-of-bounds writes due to\na too-large type:\n\n (1) __set_bit() on wfilter->type_filter\n (2) Writing more elements in wfilter->filters[] than we allocated.\n\nFix this by just using the proper WATCH_TYPE__NR instead, which is the\nnumber of types we actually know about.\n\nThe bug may cause an oops looking something like:\n\n  BUG: KASAN: slab-out-of-bounds in watch_queue_set_filter+0x659/0x740\n  Write of size 4 at addr ffff88800d2c66bc by task watch_queue_oob/611\n  ...\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x45/0x59\n   print_address_description.constprop.0+0x1f/0x150\n   ...\n   kasan_report.cold+0x7f/0x11b\n   ...\n   watch_queue_set_filter+0x659/0x740\n   ...\n   __x64_sys_ioctl+0x127/0x190\n   do_syscall_64+0x43/0x90\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n  Allocated by task 611:\n   kasan_save_stack+0x1e/0x40\n   __kasan_kmalloc+0x81/0xa0\n   watch_queue_set_filter+0x23a/0x740\n   __x64_sys_ioctl+0x127/0x190\n   do_syscall_64+0x43/0x90\n   entry_SYSCALL_64_after_hwframe+0x44/0xae\n\n  The buggy address belongs to the object at ffff88800d2c66a0\n   which belongs to the cache kmalloc-32 of size 32\n  The buggy address is located 28 bytes inside of\n   32-byte region [ffff88800d2c66a0, ffff88800d2c66c0)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/watch_queue.h","kernel/watch_queue.c"],"versions":[{"version":"c73be61cede5882f9605a852414db559c0ebedfd","lessThan":"648895da69ced90ca770fd941c3d9479a9d72c16","status":"affected","versionType":"git"},{"version":"c73be61cede5882f9605a852414db559c0ebedfd","lessThan":"1b09f28f70a5046acd64138075ae3f095238b045","status":"affected","versionType":"git"},{"version":"c73be61cede5882f9605a852414db559c0ebedfd","lessThan":"b36588ebbcef74583824c08352e75838d6fb4ff2","status":"affected","versionType":"git"},{"version":"c73be61cede5882f9605a852414db559c0ebedfd","lessThan":"c993ee0f9f81caf5767a50d1faeba39a0dc82af2","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/watch_queue.h","kernel/watch_queue.c"],"versions":[{"version":"5.8","status":"affected"},{"version":"0","lessThan":"5.8","status":"unaffected","versionType":"semver"},{"version":"5.10.106","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.29","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.15","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.10.106"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.15.29"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.16.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/648895da69ced90ca770fd941c3d9479a9d72c16"},{"url":"https://git.kernel.org/stable/c/1b09f28f70a5046acd64138075ae3f095238b045"},{"url":"https://git.kernel.org/stable/c/b36588ebbcef74583824c08352e75838d6fb4ff2"},{"url":"https://git.kernel.org/stable/c/c993ee0f9f81caf5767a50d1faeba39a0dc82af2"}],"title":"watch_queue: Fix filter limit check","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T15:25:01.608Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/648895da69ced90ca770fd941c3d9479a9d72c16","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1b09f28f70a5046acd64138075ae3f095238b045","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b36588ebbcef74583824c08352e75838d6fb4ff2","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/c993ee0f9f81caf5767a50d1faeba39a0dc82af2","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2022-48847","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:56:35.105751Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:34:09.039Z"}}]}}