{"id":"CVE-2022-50341","summary":"cifs: fix oops during encryption","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix oops during encryption\n\nWhen running xfstests against Azure the following oops occurred on an\narm64 system\n\n  Unable to handle kernel write to read-only memory at virtual address\n  ffff0001221cf000\n  Mem abort info:\n    ESR = 0x9600004f\n    EC = 0x25: DABT (current EL), IL = 32 bits\n    SET = 0, FnV = 0\n    EA = 0, S1PTW = 0\n    FSC = 0x0f: level 3 permission fault\n  Data abort info:\n    ISV = 0, ISS = 0x0000004f\n    CM = 0, WnR = 1\n  swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000\n  [ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,\n  pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787\n  Internal error: Oops: 9600004f [#1] PREEMPT SMP\n  ...\n  pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)\n  pc : __memcpy+0x40/0x230\n  lr : scatterwalk_copychunks+0xe0/0x200\n  sp : ffff800014e92de0\n  x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008\n  x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008\n  x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000\n  x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014\n  x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058\n  x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590\n  x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580\n  x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005\n  x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001\n  x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000\n  Call trace:\n   __memcpy+0x40/0x230\n   scatterwalk_map_and_copy+0x98/0x100\n   crypto_ccm_encrypt+0x150/0x180\n   crypto_aead_encrypt+0x2c/0x40\n   crypt_message+0x750/0x880\n   smb3_init_transform_rq+0x298/0x340\n   smb_send_rqst.part.11+0xd8/0x180\n   smb_send_rqst+0x3c/0x100\n   compound_send_recv+0x534/0xbc0\n   smb2_query_info_compound+0x32c/0x440\n   smb2_set_ea+0x438/0x4c0\n   cifs_xattr_set+0x5d4/0x7c0\n\nThis is because in scatterwalk_copychunks(), we attempted to write to\na buffer (@sign) that was allocated in the stack (vmalloc area) by\ncrypt_message() and thus accessing its remaining 8 (x2) bytes ended up\ncrossing a page boundary.\n\nTo simply fix it, we could just pass @sign kmalloc'd from\ncrypt_message() and then we're done.  Luckily, we don't seem to pass\nany other vmalloc'd buffers in smb_rqst::rq_iov...\n\nInstead, let's map the correct pages and offsets from vmalloc buffers\nas well in cifs_sg_set_buf() and then avoiding such oopses.","modified":"2026-04-02T08:28:25.676943Z","published":"2025-09-16T16:11:20.838Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50341.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bf0543b93740916ee91956f9a63da6fc0d79daaa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8d16a54842d609fd4a3ed2d81d4333d6329aa94"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8e2861cc3258dbe407d01ea8c59bb5a53132301"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f7f291e14dde32a07b1f0aa06921d28f875a7b54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fe6ea044c4f05706cb71040055b1c70c6c8275e0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50341.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50341"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398"},{"fixed":"e8e2861cc3258dbe407d01ea8c59bb5a53132301"},{"fixed":"fe6ea044c4f05706cb71040055b1c70c6c8275e0"},{"fixed":"bf0543b93740916ee91956f9a63da6fc0d79daaa"},{"fixed":"a13e51760703f71c25d5fc1f4a62dfa4b0cc80e9"},{"fixed":"e8d16a54842d609fd4a3ed2d81d4333d6329aa94"},{"fixed":"f7f291e14dde32a07b1f0aa06921d28f875a7b54"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50341.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}