CVE-2022-49179
📋 TL;DR
CVE-2022-49179 is a use-after-free vulnerability in the Linux kernel's BFQ I/O scheduler that can lead to kernel memory corruption. When exploited, it could allow local attackers to cause denial of service, privilege escalation, or arbitrary code execution in kernel context. This affects Linux systems using the BFQ scheduler with specific configurations.
💻 Affected Systems
- Linux Kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation to root, kernel panic causing system crash, or arbitrary code execution in kernel space leading to complete system compromise.
Likely Case
Kernel panic leading to denial of service (system crash) when specific I/O operations are performed during module unloading.
If Mitigated
Limited to denial of service if kernel hardening features like KASAN or SLAB_FREELIST_HARDENED are enabled.
🎯 Exploit Status
Exploitation requires local access and specific timing conditions during I/O scheduler operations. The vulnerability triggers during module unloading with BFQ queues active.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits: 7507ead1e9d42957c2340f2c4a0e9d00034e3366, 8410f70977734f21b8ed45c37e925d311dfda2e7, 87fdfe8589d43e471dffb4c60f75eeb6f37afc4c, 8f34dea99cd7761156a146a5258a67d045d862f7, c01fced8d38fbccc82787065229578006f28e020
Vendor Advisory: https://git.kernel.org/stable/c/7507ead1e9d42957c2340f2c4a0e9d00034e3366
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Check your distribution's security advisories for backported patches. 3. Reboot the system after kernel update.
🔧 Temporary Workarounds
Disable BFQ I/O Scheduler
LinuxSwitch to a different I/O scheduler to avoid the vulnerable code path
echo deadline > /sys/block/[device]/queue/scheduler
echo noop > /sys/block/[device]/queue/scheduler
echo mq-deadline > /sys/block/[device]/queue/scheduler
Prevent Module Unloading
LinuxRestrict module unloading to prevent the vulnerable cleanup path
echo 1 > /proc/sys/kernel/modules_disabled
chmod 400 /proc/modules
🧯 If You Can't Patch
- Disable BFQ scheduler on all block devices
- Implement strict access controls to prevent local users from loading/unloading kernel modules
- Enable kernel hardening features like KASAN and SLAB_FREELIST_HARDENED
🔍 How to Verify
Check if Vulnerable:
Check if BFQ scheduler is active: cat /sys/block/[device]/queue/scheduler | grep -i bfq. Check kernel version against affected ranges.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: uname -r. Check if BFQ scheduler works without crashes during stress testing.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages
- KASAN reports of use-after-free in __bfq_put_async_bfqq
- OOM killer activity during I/O operations
- System crashes during module unloading
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("KASAN: use-after-free" OR "BUG: KASAN" OR "panic" OR "Oops") AND ("bfq" OR "__bfq_put_async_bfqq")🔗 References
- https://git.kernel.org/stable/c/7507ead1e9d42957c2340f2c4a0e9d00034e3366
- https://git.kernel.org/stable/c/8410f70977734f21b8ed45c37e925d311dfda2e7
- https://git.kernel.org/stable/c/87fdfe8589d43e471dffb4c60f75eeb6f37afc4c
- https://git.kernel.org/stable/c/8f34dea99cd7761156a146a5258a67d045d862f7
- https://git.kernel.org/stable/c/c01fced8d38fbccc82787065229578006f28e020
- https://git.kernel.org/stable/c/c4f5a678add58a8a0e7ee5e038496b376ea6d205
