CVE-2022-49834

Summary

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free bug of ns_writer on remount

If a nilfs2 filesystem is downgraded to read-only due to metadata corruption on disk and is remounted read/write, or if emergency read-only remount is performed, detaching a log writer and synchronizing the filesystem can be done at the same time.

In these cases, use-after-free of the log writer (hereinafter nilfs->ns_writer) can happen as shown in the scenario below:

Task1 Task2


nilfs_construct_segment nilfs_segctor_sync init_wait init_waitqueue_entry add_wait_queue schedule nilfs_remount (R/W remount case) nilfs_attach_log_writer nilfs_detach_log_writer nilfs_segctor_destroy kfree finish_wait _raw_spin_lock_irqsave __raw_spin_lock_irqsave do_raw_spin_lock debug_spin_lock_before <– use-after-free

While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 waked up, Task1 accesses nilfs->ns_writer which is already freed. This scenario diagram is based on the Shigeru Yoshida's post [1].

This patch fixes the issue by not detaching nilfs->ns_writer on remount so that this UAF race doesn't happen. Along with this change, this patch also inserts a few necessary read-only checks with superblock instance where only the ns_writer pointer was used to check if the filesystem is read-only.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < b2fbf10040216ef5ee270773755fc2f5da65b749affected
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < 39a3ed68270b079c6b874d4e4727a512b9b4882caffected
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < b4736ab5542112fe0a40f140a0a0b072954f34daaffected
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < 9b162e81045266a2d5b44df9dffdf05c54de9ccaaffected
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < 4feedde5486c07ea79787839153a71ca71329c7daffected
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < afbd1188382a75f6cfe22c0b68533f7f9664f182affected
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < b152300d5a1ba4258dacf9916bff20e6a8c7603baffected
LinuxLinuxfe5f171bb272946ce5fbf843ce2f8467d0d41b9a < 8cccf05fe857a18ee26e20d11a8455a73ffd4efdaffected
LinuxLinux2.6.34affected
LinuxLinux0 < 2.6.34unaffected
LinuxLinux4.9.334 <= 4.9.*unaffected
LinuxLinux4.14.300 <= 4.14.*unaffected
LinuxLinux4.19.267 <= 4.19.*unaffected
LinuxLinux5.4.225 <= 5.4.*unaffected
LinuxLinux5.10.155 <= 5.10.*unaffected
LinuxLinux5.15.79 <= 5.15.*unaffected
LinuxLinux6.0.9 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References