Bug 2425020 (CVE-2022-50736)
| Summary: | CVE-2022-50736 kernel: Linux kernel: Privilege escalation via out-of-bounds write in RDMA/siw | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was identified in the Linux kernel RDMA (siw) implementation where an undefined opcode value could be used during immediate work request flushing while in an error state. The send queue element opcode was not correctly set, which could lead to an out-of-bounds access when mapping between the SoftiWARP internal representation and the RDMA core representation in work completion generation. On some test configurations (e.g., NFSoRDMA testing), this resulted in a KASAN BUG report of type global-out-of-bounds. Additionally, a malicious local user with access to a memory-mapped completion queue (CQ) could supply undefined values for completion queue element status or opcode, leading to similar out-of-bounds array access.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-12-24 13:02:24 UTC
|