CVE-2022-50126

Summary

In the Linux kernel, the following vulnerability has been resolved:

jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted

Following process will fail assertion 'jh->b_frozen_data == NULL' in jbd2_journal_dirty_metadata():

               jbd2_journal_commit_transaction

unlink(dir/a) jh->b_transaction = trans1 jh->b_jlist = BJ_Metadata journal->j_running_transaction = NULL trans1->t_state = T_COMMIT unlink(dir/b) handle->h_trans = trans2 do_get_write_access jh->b_modified = 0 jh->b_frozen_data = frozen_buffer jh->b_next_transaction = trans2 jbd2_journal_dirty_metadata is_handle_aborted is_journal_aborted // return false

       --> jbd2 abort <--

                 while (commit_transaction->t_buffers)
                  if (is_journal_aborted)
                   jbd2_journal_refile_buffer
                    __jbd2_journal_refile_buffer
                     WRITE_ONCE(jh->b_transaction,
					jh->b_next_transaction)
                     WRITE_ONCE(jh->b_next_transaction, NULL)
                     __jbd2_journal_file_buffer(jh, BJ_Reserved)
    J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure !

The reproducer (See detail in [Link]) reports: ————[ cut here ]———— kernel BUG at fs/jbd2/transaction.c:1629! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 2 PID: 584 Comm: unlink Tainted: G W 5.19.0-rc6-00115-g4a57a8400075-dirty #697 RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 Call Trace: <TASK> __ext4_handle_dirty_metadata+0xa0/0x290 ext4_handle_dirty_dirblock+0x10c/0x1d0 ext4_delete_entry+0x104/0x200 __ext4_unlink+0x22b/0x360 ext4_unlink+0x275/0x390 vfs_unlink+0x20b/0x4c0 do_unlinkat+0x42f/0x4c0 __x64_sys_unlink+0x37/0x50 do_syscall_64+0x35/0x80

After journal aborting, __jbd2_journal_refile_buffer() is executed with holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' into the area protected by @jh->b_state_lock.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < 0f61c6dc4b714be9d79cf0782ca02ba01c1b7ac3affected
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < 6073389db83b903678a0920554fa19f5bdc51c48affected
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < fa5b65d39332fef7a11ae99cb1f0696012a61527affected
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < f7161d0da975adc234161cd0641d0e484f5ce375affected
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < e62f79827784f56499a50ea2e893c98317b5407baffected
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < 731c1662d838fe954c6759e3ee43229b0d928fe4affected
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < ddd896792e1718cb84c96f3e618270589b6886dcaffected
LinuxLinux470decc613ab2048b619a01028072d932d9086ee < 4a734f0869f970b8a9b65062ea40b09a5da9dba8affected
LinuxLinux2.6.19affected
LinuxLinux0 < 2.6.19unaffected
LinuxLinux4.14.291 <= 4.14.*unaffected
LinuxLinux4.19.256 <= 4.19.*unaffected
LinuxLinux5.4.211 <= 5.4.*unaffected
LinuxLinux5.10.137 <= 5.10.*unaffected
LinuxLinux5.15.61 <= 5.15.*unaffected
LinuxLinux5.18.18 <= 5.18.*unaffected
LinuxLinux5.19.2 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References