CVE-2022-48674 erofs: fix pcluster use-after-free on UP platforms

2024-05-0314:51:57

Linux

github.com

linux kernel

vulnerability

erofs

pcluster

use-after-free

stress testing

kasan

cpu

pid

comm

bios

red hat kvm.

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix pcluster use-after-free on UP platforms

During stress testing with CONFIG_SMP disabled, KASAN reports as below:

==================================================================
BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30
Read of size 8 at addr ffff8881094223f8 by task stress/7789

CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Call Trace:
<TASK>
…
__mutex_lock+0xe5/0xc30
…
z_erofs_do_read_page+0x8ce/0x1560
…
z_erofs_readahead+0x31c/0x580
…
Freed by task 7787
kasan_save_stack+0x1e/0x40
kasan_set_track+0x20/0x30
kasan_set_free_info+0x20/0x40
__kasan_slab_free+0x10c/0x190
kmem_cache_free+0xed/0x380
rcu_core+0x3d5/0xc90
__do_softirq+0x12d/0x389

Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xb0
call_rcu+0x3d/0x3f0
erofs_shrink_workstation+0x11f/0x210
erofs_shrink_scan+0xdc/0x170
shrink_slab.constprop.0+0x296/0x530
drop_slab+0x1c/0x70
drop_caches_sysctl_handler+0x70/0x80
proc_sys_call_handler+0x20a/0x2f0
vfs_write+0x555/0x6c0
ksys_write+0xbe/0x160
do_syscall_64+0x3b/0x90

The root cause is that erofs_workgroup_unfreeze() doesn’t reset to
orig_val thus it causes a race that the pcluster reuses unexpectedly
before freeing.

Since UP platforms are quite rare now, such path becomes unnecessary.
Let’s drop such specific-designed path directly instead.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/erofs/internal.h"
    ],
    "versions": [
      {
        "version": "73f5c66df3e2",
        "lessThan": "8ddd001cef5e",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "73f5c66df3e2",
        "lessThan": "94c34faaafe7",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "73f5c66df3e2",
        "lessThan": "2f44013e3998",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/erofs/internal.h"
    ],
    "versions": [
      {
        "version": "5.0",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.0",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.68",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.19.9",
        "lessThanOrEqual": "5.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.0",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]