CVE-2022-48674
erofs: fix pcluster use-after-free on UP platforms
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix pcluster use-after-free on UP platforms
During stress testing with CONFIG_SMP disabled, KASAN reports as below:
==================================================================
BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30
Read of size 8 at addr ffff8881094223f8 by task stress/7789
CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Call Trace:
<TASK>
..
__mutex_lock+0xe5/0xc30
..
z_erofs_do_read_page+0x8ce/0x1560
..
z_erofs_readahead+0x31c/0x580
..
Freed by task 7787
kasan_save_stack+0x1e/0x40
kasan_set_track+0x20/0x30
kasan_set_free_info+0x20/0x40
__kasan_slab_free+0x10c/0x190
kmem_cache_free+0xed/0x380
rcu_core+0x3d5/0xc90
__do_softirq+0x12d/0x389
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xb0
call_rcu+0x3d/0x3f0
erofs_shrink_workstation+0x11f/0x210
erofs_shrink_scan+0xdc/0x170
shrink_slab.constprop.0+0x296/0x530
drop_slab+0x1c/0x70
drop_caches_sysctl_handler+0x70/0x80
proc_sys_call_handler+0x20a/0x2f0
vfs_write+0x555/0x6c0
ksys_write+0xbe/0x160
do_syscall_64+0x3b/0x90
The root cause is that erofs_workgroup_unfreeze() doesn't reset to
orig_val thus it causes a race that the pcluster reuses unexpectedly
before freeing.
Since UP platforms are quite rare now, such path becomes unnecessary.
Let's drop such specific-designed path directly instead.
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: erofs: corrige el use-after-free de pcluster en plataformas UP Durante las pruebas de estrés con CONFIG_SMP deshabilitado, KASAN informa lo siguiente: ============== ==================================================== == ERROR: KASAN: use-after-free en __mutex_lock+0xe5/0xc30 Lectura de tamaño 8 en la dirección ffff8881094223f8 por tarea estrés/7789 CPU: 0 PID: 7789 Comm: estrés No contaminado 6.0.0-rc1-00002-g0d53d2e882f9 # 3 Nombre del hardware: Red Hat KVM, BIOS 0.5.1 01/01/2011 Seguimiento de llamadas: .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Liberado por la tarea 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x 389 Última creación de trabajo potencialmente relacionado: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/ 0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 retract_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 La causa principal es que erofs_workgroup_unfreeze() no se restablece a orig_val, por lo que provoca una carrera que el pcluster reutiliza inesperadamente antes de liberarse. Dado que las plataformas UP son bastante raras ahora, ese camino se vuelve innecesario. En su lugar, eliminemos directamente esa ruta manipulada específicamente.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-25 CVE Reserved
- 2024-05-03 CVE Published
- 2024-05-24 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/73f5c66df3e26ab750cefcb9a3e08c71c9f79cad | Vuln. Introduced | |
https://git.kernel.org/stable/c/08ec9e6892cc792d7f8fe4d13bd8a0e91fb23488 | Vuln. Introduced | |
https://git.kernel.org/stable/c/78c46113413bea1cc345757112aa2642e0f66de5 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.0 < 5.15.68 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.15.68" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.0 < 5.19.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.19.9" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.0 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.0" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.19.26 Search vendor "Linux" for product "Linux Kernel" and version "4.19.26" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.20.13 Search vendor "Linux" for product "Linux Kernel" and version "4.20.13" | en |
Affected
|