CVE-2022-48919

In the Linux kernel, the following vulnerability has been resolved: cifs: fix double free race when mount fails in cifs_get_root() When cifs_get_root() fails during cifs_smb3_do_mount() we call deactivate_locked_super() which eventually will call delayed_free() which will free the context. In this situation we should not proceed to enter the out: section in cifs_smb3_do_mount() and free the same resources a second time. [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0 [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022] <IRQ> [Thu Feb 10 12:59:06 2022] dump_stack_lvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022] print_address_description.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] kasan_report.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] __asan_load8+0x86/0xa0 [Thu Feb 10 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] rcu_core+0x547/0xca0 [Thu Feb 10 12:59:06 2022] ? call_rcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022] ? __this_cpu_preempt_check+0x13/0x20 [Thu Feb 10 12:59:06 2022] ? lock_is_held_type+0xea/0x140 [Thu Feb 10 12:59:06 2022] rcu_core_si+0xe/0x10 [Thu Feb 10 12:59:06 2022] __do_softirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022] __irq_exit_rcu+0x100/0x150 [Thu Feb 10 12:59:06 2022] irq_exit_rcu+0xe/0x30 [Thu Feb 10 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] kasan_set_track+0x25/0x30 [Thu Feb 10 12:59:07 2022] kasan_set_free_info+0x24/0x40 [Thu Feb 10 12:59:07 2022] ____kasan_slab_free+0x137/0x170 [Thu Feb 10 12:59:07 2022] __kasan_slab_free+0x12/0x20 [Thu Feb 10 12:59:07 2022] slab_free_freelist_hook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae [Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022] kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022] kasan_record_aux_stack_noalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022] call_rcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] deactivate_locked_super+0x5d/0xd0 [Thu Feb 10 12:59:07 2022] cifs_smb3_do_mount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022] path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entry_SYSCALL_64_after_hwframe+0x44/0xae
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

27 Aug 2024, 16:07

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/147a0e71ccf96df9fc8c2ac500829d8e423ef02c - () https://git.kernel.org/stable/c/147a0e71ccf96df9fc8c2ac500829d8e423ef02c - Patch
References () https://git.kernel.org/stable/c/2fe0e281f7ad0a62259649764228227dd6b2561d - () https://git.kernel.org/stable/c/2fe0e281f7ad0a62259649764228227dd6b2561d - Patch
References () https://git.kernel.org/stable/c/3d6cc9898efdfb062efb74dc18cfc700e082f5d5 - () https://git.kernel.org/stable/c/3d6cc9898efdfb062efb74dc18cfc700e082f5d5 - Patch
References () https://git.kernel.org/stable/c/546d60859ecf13380fcabcbeace53a5971493a2b - () https://git.kernel.org/stable/c/546d60859ecf13380fcabcbeace53a5971493a2b - Patch
References () https://git.kernel.org/stable/c/563431c1f3c8f2230e4a9c445fa23758742bc4f0 - () https://git.kernel.org/stable/c/563431c1f3c8f2230e4a9c445fa23758742bc4f0 - Patch
References () https://git.kernel.org/stable/c/da834d6c1147c7519a9e55b510a03b7055104749 - () https://git.kernel.org/stable/c/da834d6c1147c7519a9e55b510a03b7055104749 - Patch
References () https://git.kernel.org/stable/c/df9db1a2af37f39ad1653c7b9b0d275d72d0bc67 - () https://git.kernel.org/stable/c/df9db1a2af37f39ad1653c7b9b0d275d72d0bc67 - Patch
References () https://git.kernel.org/stable/c/e208668ef7ba23efcbf76a8200cab8deee501c4d - () https://git.kernel.org/stable/c/e208668ef7ba23efcbf76a8200cab8deee501c4d - Patch
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
CWE CWE-415
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux linux Kernel
Linux

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: corrige doble ejecución libre cuando falla el montaje en cifs_get_root() Cuando cifs_get_root() falla durante cifs_smb3_do_mount() llamamos a deactivate_locked_super() que eventualmente llamará a delay_free() que liberará el contexto. En esta situación no debemos proceder a ingresar a la sección out: en cifs_smb3_do_mount() y liberar los mismos recursos por segunda vez. [Jueves 10 de febrero 12:59:06 2022] ERROR: KASAN: use-after-free en rcu_cblist_dequeue+0x32/0x60 [Jueves 10 de febrero 12:59:06 2022] Lectura de tamaño 8 en la dirección ffff888364f4d110 por task swapper/1/ 0 [jueves 10 de febrero 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [jueves 10 de febrero 12:59:06 2022] Nombre del hardware: Microsoft Corporation Máquina virtual/Máquina virtual, BIOS Hyper-V UEFI versión v4.0 17/12/2019 [jueves 10 de febrero 12:59:06 2022] Seguimiento de llamadas: [jueves 10 de febrero 12:59:06 2022] [jueves 10 de febrero 12:59:06 2022] dump_stack_lvl+0x5d/0x78 [jueves 10 de febrero 12:59:06 2022] print_address_description.constprop.0+0x24/0x150 [jueves 10 de febrero 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [jueves 10 de febrero 12:59:06 2022] kasan_report.cold+0x7d/0x117 [jueves 10 de febrero 12:59:06 2022] ? rcu_cblist_dequeue+0x32/0x60 [jueves 10 de febrero 12:59:06 2022] __asan_load8+0x86/0xa0 [jueves 10 de febrero 12:59:06 2022] rcu_cblist_dequeue+0x32/0x60 [jueves 10 de febrero 12:59:06 2022] rcu_core+ 0x547/0xca0 [jueves 10 de febrero 12:59:06 2022]? call_rcu+0x3c0/0x3c0 [jueves 10 de febrero 12:59:06 2022]? __this_cpu_preempt_check+0x13/0x20 [jueves 10 de febrero 12:59:06 2022] ? lock_is_held_type+0xea/0x140 [jueves 10 de febrero 12:59:06 2022] rcu_core_si+0xe/0x10 [jueves 10 de febrero 12:59:06 2022] __do_softirq+0x1d4/0x67b [jueves 10 de febrero 12:59:06 2022] salida_rcu+ 0x100/0x150 [jueves 10 de febrero 12:59:06 2022] irq_exit_rcu+0xe/0x30 [jueves 10 de febrero 12:59:06 2022] sysvec_hyperv_stimer0+0x9d/0xc0 ... [jueves 10 de febrero 12:59:07 2022] Liberado por tarea 58179: [jueves 10 de febrero 12:59:07 2022] kasan_save_stack+0x26/0x50 [jueves 10 de febrero 12:59:07 2022] kasan_set_track+0x25/0x30 [jueves 10 de febrero 12:59:07 2022] kasan_set_free_info+0x24 /0x40 [jueves 10 de febrero 12:59:07 2022] ____kasan_slab_free+0x137/0x170 [jueves 10 de febrero 12:59:07 2022] __kasan_slab_free+0x12/0x20 [jueves 10 de febrero 12:59:07 2022] xb3/0x1d0 [Jueves 10 de febrero 12:59:07 2022] kfree+0xcd/0x520 [Jueves 10 de febrero 12:59:07 2022] cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Jueves 10 de febrero 12:59:07 2022] smb3_get_tree+0x1a0/ 0x2e0 [cifs] [jueves 10 de febrero 12:59:07 2022] vfs_get_tree+0x52/0x140 [jueves 10 de febrero 12:59:07 2022] path_mount+0x635/0x10c0 [jueves 10 de febrero 12:59:07 2022] __x64_sys_mount+ 0x1bf /0x210 [jueves 10 de febrero 12:59:07 2022] do_syscall_64+0x5c/0xc0 [jueves 10 de febrero 12:59:07 2022] Entry_SYSCALL_64_after_hwframe+0x44/0xae [jueves 10 de febrero 12:59:07 2022] Última creación de trabajo potencialmente relacionado : [jueves 10 de febrero 12:59:07 2022] kasan_save_stack+0x26/0x50 [jueves 10 de febrero 12:59:07 2022] __kasan_record_aux_stack+0xb6/0xc0 [jueves 10 de febrero 12:59:07 2022] kasan_record_aux_stack_noalloc+0 xb/0x10 [ Jueves 10 de febrero 12:59:07 2022] call_rcu+0x76/0x3c0 [Jueves 10 de febrero 12:59:07 2022] cifs_umount+0xce/0xe0 [cifs] [Jueves 10 de febrero 12:59:07 2022] cifs_kill_sb+0xc8/0xe0 [CIFS] [Jue 10 de febrero 12:59:07 2022] Deactivate_Locked_super+0x5d/0xd0 [justo 10 de febrero 12:59:07 2022] CIFS_SMB3_DO_MOUNT+0XAB9/0XBE0 [CIFS] [THU FEB 10 12:59:07 2022] SMB3 +0x1a0/0x2e0 [cifs] [jueves 10 de febrero 12:59:07 2022] vfs_get_tree+0x52/0x140 [jueves 10 de febrero 12:59:07 2022] path_mount+0x635/0x10c0 [jueves 10 de febrero 12:59:07 2022] __x64_sys_mount+0x1bf/0x210 [jueves 10 de febrero 12:59:07 2022] do_syscall_64+0x5c/0xc0 [jueves 10 de febrero 12:59:07 2022] Entry_SYSCALL_64_after_hwframe+0x44/0xae

22 Aug 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-22 02:15

Updated : 2024-08-27 16:07


NVD link : CVE-2022-48919

Mitre link : CVE-2022-48919

CVE.ORG link : CVE-2022-48919


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-415

Double Free