CVE-2022-49834
01.05.2025, 15:16
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free bug of ns_writer on remount
If a nilfs2 filesystem is downgraded to read-only due to metadata
corruption on disk and is remounted read/write, or if emergency read-only
remount is performed, detaching a log writer and synchronizing the
filesystem can be done at the same time.
In these cases, use-after-free of the log writer (hereinafter
nilfs->ns_writer) can happen as shown in the scenario below:
Task1 Task2
-------------------------------- ------------------------------
nilfs_construct_segment
nilfs_segctor_sync
init_wait
init_waitqueue_entry
add_wait_queue
schedule
nilfs_remount (R/W remount case)
nilfs_attach_log_writer
nilfs_detach_log_writer
nilfs_segctor_destroy
kfree
finish_wait
_raw_spin_lock_irqsave
__raw_spin_lock_irqsave
do_raw_spin_lock
debug_spin_lock_before <-- use-after-free
While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1
waked up, Task1 accesses nilfs->ns_writer which is already freed. This
scenario diagram is based on the Shigeru Yoshida's post [1].
This patch fixes the issue by not detaching nilfs->ns_writer on remount so
that this UAF race doesn't happen. Along with this change, this patch
also inserts a few necessary read-only checks with superblock instance
where only the ns_writer pointer was used to check if the filesystem is
read-only.Enginsight| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 𝑥 < 4.9.334 |
| linux | linux_kernel | 4.10 ≤ 𝑥 < 4.14.300 |
| linux | linux_kernel | 4.15 ≤ 𝑥 < 4.19.267 |
| linux | linux_kernel | 4.20 ≤ 𝑥 < 5.4.225 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.155 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.79 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.0.9 |
| linux | linux_kernel | 6.1:rc1 |
| linux | linux_kernel | 6.1:rc2 |
| linux | linux_kernel | 6.1:rc3 |
| linux | linux_kernel | 6.1:rc4 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References