{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2022-49947","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-06-18T10:57:27.381Z","datePublished":"2025-06-18T11:00:11.012Z","dateUpdated":"2026-05-11T19:09:45.277Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:09:45.277Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix alloc->vma_vm_mm null-ptr dereference\n\nSyzbot reported a couple issues introduced by commit 44e602b4e52f\n(\"binder_alloc: add missing mmap_lock calls when using the VMA\"), in\nwhich we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not\nbeen initialized yet.\n\nThis can happen if a binder_proc receives a transaction without having\npreviously called mmap() to setup the binder_proc->alloc space in [1].\nAlso, a similar issue occurs via binder_alloc_print_pages() when we try\nto dump the debugfs binder stats file in [2].\n\nSample of syzbot's crash report:\n  ==================================================================\n  KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]\n  CPU: 0 PID: 3755 Comm: syz-executor229 Not tainted 6.0.0-rc1-next-20220819-syzkaller #0\n  syz-executor229[3755] cmdline: ./syz-executor2294415195\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022\n  RIP: 0010:__lock_acquire+0xd83/0x56d0 kernel/locking/lockdep.c:4923\n  [...]\n  Call Trace:\n   <TASK>\n   lock_acquire kernel/locking/lockdep.c:5666 [inline]\n   lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631\n   down_read+0x98/0x450 kernel/locking/rwsem.c:1499\n   mmap_read_lock include/linux/mmap_lock.h:117 [inline]\n   binder_alloc_new_buf_locked drivers/android/binder_alloc.c:405 [inline]\n   binder_alloc_new_buf+0xa5/0x19e0 drivers/android/binder_alloc.c:593\n   binder_transaction+0x242e/0x9a80 drivers/android/binder.c:3199\n   binder_thread_write+0x664/0x3220 drivers/android/binder.c:3986\n   binder_ioctl_write_read drivers/android/binder.c:5036 [inline]\n   binder_ioctl+0x3470/0x6d00 drivers/android/binder.c:5323\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:870 [inline]\n   __se_sys_ioctl fs/ioctl.c:856 [inline]\n   __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856\n   do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n   entry_SYSCALL_64_after_hwframe+0x63/0xcd\n   [...]\n  ==================================================================\n\nFix these issues by setting up alloc->vma_vm_mm pointer during open()\nand caching directly from current->mm. This guarantees we have a valid\nreference to take the mmap_lock during scenarios described above.\n\n[1] https://syzkaller.appspot.com/bug?extid=f7dc54e5be28950ac459\n[2] https://syzkaller.appspot.com/bug?extid=a75ebe0452711c9e56d9"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"577d9c05cc48c5242bcf719c06a5baf3105473ad","lessThan":"81203ab7a6ef843a2b904a0a494f28c457d44d27","status":"affected","versionType":"git"},{"version":"7b0163c1b07b7ff1717aa975821c40df98786ddc","lessThan":"b2a97babb0a510f8921891f9e70c5a5ef33cadac","status":"affected","versionType":"git"},{"version":"44e602b4e52f70f04620bbbf4fe46ecb40170bde","lessThan":"1da52815d5f1b654c89044db0cdc6adce43da1f1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/android/binder_alloc.c"],"versions":[{"version":"5.15.64","lessThan":"5.15.66","status":"affected","versionType":"semver"},{"version":"5.19.6","lessThan":"5.19.8","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.64","versionEndExcluding":"5.15.66"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.6","versionEndExcluding":"5.19.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/81203ab7a6ef843a2b904a0a494f28c457d44d27"},{"url":"https://git.kernel.org/stable/c/b2a97babb0a510f8921891f9e70c5a5ef33cadac"},{"url":"https://git.kernel.org/stable/c/1da52815d5f1b654c89044db0cdc6adce43da1f1"}],"title":"binder: fix alloc->vma_vm_mm null-ptr dereference","x_generator":{"engine":"bippy-1.2.0"}}}}