Improper Input Validation Affecting kernel package, versions <0:4.14.301-224.520.amzn2


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.25% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2-KERNEL-9513731
  • published26 Mar 2025
  • disclosed21 Oct 2024

Introduced: 21 Oct 2024

CVE-2022-49033  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 kernel to version 0:4.14.301-224.520.amzn2 or higher.
This issue was patched in ALAS2-2022-1903.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel package and not the kernel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()

Syzkaller reported BUG as follows:

BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 __might_resched.cold+0x222/0x26b kmem_cache_alloc+0x2e7/0x3c0 update_qgroup_limit_item+0xe1/0x390 btrfs_qgroup_inherit+0x147b/0x1ee0 create_subvol+0x4eb/0x1710 btrfs_mksubvol+0xfe5/0x13f0 __btrfs_ioctl_snap_create+0x2b0/0x430 btrfs_ioctl_snap_create_v2+0x25a/0x520 btrfs_ioctl+0x2a1c/0x5ce0 __x64_sys_ioctl+0x193/0x200 do_syscall_64+0x35/0x80

Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in btrfs_run_qgroups() later outside of the spinlock context.

CVSS Base Scores

version 3.1