7.8
CVE-2022-49834
- EPSS 0.19%
- Veröffentlicht 01.05.2025 14:09:52
- Zuletzt bearbeitet 10.11.2025 21:12:47
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
nilfs2: fix use-after-free bug of ns_writer on remount
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free bug of ns_writer on remount
If a nilfs2 filesystem is downgraded to read-only due to metadata
corruption on disk and is remounted read/write, or if emergency read-only
remount is performed, detaching a log writer and synchronizing the
filesystem can be done at the same time.
In these cases, use-after-free of the log writer (hereinafter
nilfs->ns_writer) can happen as shown in the scenario below:
Task1 Task2
-------------------------------- ------------------------------
nilfs_construct_segment
nilfs_segctor_sync
init_wait
init_waitqueue_entry
add_wait_queue
schedule
nilfs_remount (R/W remount case)
nilfs_attach_log_writer
nilfs_detach_log_writer
nilfs_segctor_destroy
kfree
finish_wait
_raw_spin_lock_irqsave
__raw_spin_lock_irqsave
do_raw_spin_lock
debug_spin_lock_before <-- use-after-free
While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1
waked up, Task1 accesses nilfs->ns_writer which is already freed. This
scenario diagram is based on the Shigeru Yoshida's post [1].
This patch fixes the issue by not detaching nilfs->ns_writer on remount so
that this UAF race doesn't happen. Along with this change, this patch
also inserts a few necessary read-only checks with superblock instance
where only the ns_writer pointer was used to check if the filesystem is
read-only.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version < 4.9.334
Linux ≫ Linux Kernel Version >= 4.10 < 4.14.300
Linux ≫ Linux Kernel Version >= 4.15 < 4.19.267
Linux ≫ Linux Kernel Version >= 4.20 < 5.4.225
Linux ≫ Linux Kernel Version >= 5.5 < 5.10.155
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.79
Linux ≫ Linux Kernel Version >= 5.16 < 6.0.9
Linux ≫ Linux Kernel Version6.1 Updaterc1
Linux ≫ Linux Kernel Version6.1 Updaterc2
Linux ≫ Linux Kernel Version6.1 Updaterc3
Linux ≫ Linux Kernel Version6.1 Updaterc4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.089 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/b2fbf10040216ef5ee270773755fc2f5da65b749
https://git.kernel.org/stable/c/39a3ed68270b079c6b874d4e4727a512b9b4882c
https://git.kernel.org/stable/c/b4736ab5542112fe0a40f140a0a0b072954f34da
https://git.kernel.org/stable/c/9b162e81045266a2d5b44df9dffdf05c54de9cca
https://git.kernel.org/stable/c/4feedde5486c07ea79787839153a71ca71329c7d
https://git.kernel.org/stable/c/afbd1188382a75f6cfe22c0b68533f7f9664f182
https://git.kernel.org/stable/c/b152300d5a1ba4258dacf9916bff20e6a8c7603b
https://git.kernel.org/stable/c/8cccf05fe857a18ee26e20d11a8455a73ffd4efd