Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free bug of ns_writer on remount If a nilfs2 filesystem is downgraded to read-only due to metadata corruption on disk and is remounted read/write, or if emergency read-only remount is performed, detaching a log writer and synchronizing the filesystem can be done at the same time. In these cases, use-after-free of the log writer (hereinafter nilfs->ns_writer) can happen as shown in the scenario below: Task1 Task2 -------------------------------- ------------------------------ nilfs_construct_segment nilfs_segctor_sync init_wait init_waitqueue_entry add_wait_queue schedule nilfs_remount (R/W remount case) nilfs_attach_log_writer nilfs_detach_log_writer nilfs_segctor_destroy kfree finish_wait _raw_spin_lock_irqsave __raw_spin_lock_irqsave do_raw_spin_lock debug_spin_lock_before <-- use-after-free While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1 waked up, Task1 accesses nilfs->ns_writer which is already freed. This scenario diagram is based on the Shigeru Yoshida's post [1]. This patch fixes the issue by not detaching nilfs->ns_writer on remount so that this UAF race doesn't happen. Along with this change, this patch also inserts a few necessary read-only checks with superblock instance where only the ns_writer pointer was used to check if the filesystem is read-only.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | < 4.9.334 |
Related Weaknesses (CWE)
References
- https://git.kernel.org/stable/c/39a3ed68270b079c6b874d4e4727a512b9b4882cPatch
- https://git.kernel.org/stable/c/4feedde5486c07ea79787839153a71ca71329c7dPatch
- https://git.kernel.org/stable/c/8cccf05fe857a18ee26e20d11a8455a73ffd4efdPatch
- https://git.kernel.org/stable/c/9b162e81045266a2d5b44df9dffdf05c54de9ccaPatch
- https://git.kernel.org/stable/c/afbd1188382a75f6cfe22c0b68533f7f9664f182Patch
- https://git.kernel.org/stable/c/b152300d5a1ba4258dacf9916bff20e6a8c7603bPatch
- https://git.kernel.org/stable/c/b2fbf10040216ef5ee270773755fc2f5da65b749Patch
- https://git.kernel.org/stable/c/b4736ab5542112fe0a40f140a0a0b072954f34daPatch
FAQ
What is CVE-2022-49834?
CVE-2022-49834 is a vulnerability with a CVSS score of 7.8 (HIGH). In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free bug of ns_writer on remount If a nilfs2 filesystem is downgraded to read-only due to metadata corruptio...
How severe is CVE-2022-49834?
CVE-2022-49834 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-49834?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel.