CVE-2022-48674
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix pcluster use-after-free on UP platforms
During stress testing with CONFIG_SMP disabled, KASAN reports as below:
================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789
CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389
Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90
The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing.
Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad < 8ddd001cef5e82d19192e6861068463ecca5f556 | affected |
| Linux | Linux | 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad < 94c34faaafe7b55adc2d8d881db195b646959b9e | affected |
| Linux | Linux | 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad < 2f44013e39984c127c6efedf70e6b5f4e9dcf315 | affected |
| Linux | Linux | 08ec9e6892cc792d7f8fe4d13bd8a0e91fb23488 | affected |
| Linux | Linux | 78c46113413bea1cc345757112aa2642e0f66de5 | affected |
| Linux | Linux | 4.19.26 < 4.20 | affected |
| Linux | Linux | 4.20.13 < 4.21 | affected |
| Linux | Linux | 5.0 | affected |
| Linux | Linux | 0 < 5.0 | unaffected |
| Linux | Linux | 5.15.68 <= 5.15.* | unaffected |
| Linux | Linux | 5.19.9 <= 5.19.* | unaffected |
| Linux | Linux | 6.0 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/8ddd001cef5e82d19192e6861068463ecca5f556
- https://git.kernel.org/stable/c/94c34faaafe7b55adc2d8d881db195b646959b9e
- https://git.kernel.org/stable/c/2f44013e39984c127c6efedf70e6b5f4e9dcf315
References
- https://git.kernel.org/stable/c/8ddd001cef5e82d19192e6861068463ecca5f556
- https://git.kernel.org/stable/c/94c34faaafe7b55adc2d8d881db195b646959b9e
- https://git.kernel.org/stable/c/2f44013e39984c127c6efedf70e6b5f4e9dcf315
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.