CVE-2022-49850

{"id": "CVE-2022-49850", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-05-01T15:16:08.567", "references": [{"url": "https://git.kernel.org/stable/c/1d4ff73062096c21b47954d2996b4df259777bda", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/36ff974b0310771417c0be64b64aa221bd70d63d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3c89ca6d3dfa6c09c515807a7a97a521f5d5147e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8ac932a4921a96ca52f61935dbba64ea87bbd5dc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b4506cff6630bb474bb46a2a75c31e533a756ba", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/abc082aac0d9b6b926038fc3adb7008306581be2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cb029b54953420f7a2d65100f1c5107f14411bdc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0cc93080d4c09510b74ecba87fd778cca390bb1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix deadlock in nilfs_count_free_blocks()\n\nA semaphore deadlock can occur if nilfs_get_block() detects metadata\ncorruption while locating data blocks and a superblock writeback occurs at\nthe same time:\n\ntask 1 task 2\n------ ------\n* A file operation *\nnilfs_truncate()\n nilfs_get_block()\n down_read(rwsem A) <--\n nilfs_bmap_lookup_contig()\n ... generic_shutdown_super()\n nilfs_put_super()\n * Prepare to write superblock *\n down_write(rwsem B) <--\n nilfs_cleanup_super()\n * Detect b-tree corruption * nilfs_set_log_cursor()\n nilfs_bmap_convert_error() nilfs_count_free_blocks()\n __nilfs_error() down_read(rwsem A) <--\n nilfs_set_error()\n down_write(rwsem B) <--\n\n *** DEADLOCK ***\n\nHere, nilfs_get_block() readlocks rwsem A (= NILFS_MDT(dat_inode)->mi_sem)\nand then calls nilfs_bmap_lookup_contig(), but if it fails due to metadata\ncorruption, __nilfs_error() is called from nilfs_bmap_convert_error()\ninside the lock section.\n\nSince __nilfs_error() calls nilfs_set_error() unless the filesystem is\nread-only and nilfs_set_error() attempts to writelock rwsem B (=\nnilfs->ns_sem) to write back superblock exclusively, hierarchical lock\nacquisition occurs in the order rwsem A -> rwsem B.\n\nNow, if another task starts updating the superblock, it may writelock\nrwsem B during the lock sequence above, and can deadlock trying to\nreadlock rwsem A in nilfs_count_free_blocks().\n\nHowever, there is actually no need to take rwsem A in\nnilfs_count_free_blocks() because it, within the lock section, only reads\na single integer data on a shared struct with\nnilfs_sufile_get_ncleansegs(). This has been the case after commit\naa474a220180 (\"nilfs2: add local variable to cache the number of clean\nsegments\"), that is, even before this bug was introduced.\n\nSo, this resolves the deadlock problem by just not taking the semaphore in\nnilfs_count_free_blocks()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: corregir bloqueo en nilfs_count_free_blocks() Un bloqueo de sem\u00e1foro puede ocurrir si nilfs_get_block() detecta corrupci\u00f3n de metadatos mientras localiza bloques de datos y ocurre una escritura diferida de superbloque al mismo tiempo: tarea 1 tarea 2 ------ ------ * Una operaci\u00f3n de archivo * nilfs_truncate() nilfs_get_block() down_read(rwsem A) &lt;-- nilfs_bmap_lookup_contig() ... generic_shutdown_super() nilfs_put_super() * Preparar para escribir superbloque * down_write(rwsem B) &lt;-- nilfs_cleanup_super() * Detectar corrupci\u00f3n de \u00e1rbol b * nilfs_set_log_cursor() nilfs_bmap_convert_error() nilfs_count_free_blocks() __nilfs_error() down_read(rwsem A) &lt;-- nilfs_set_error() down_write(rwsem B) &lt;-- *** DEADLOCK *** Aqu\u00ed, nilfs_get_block() vuelve a bloquear rwsem A (= NILFS_MDT(dat_inode)-&gt;mi_sem) y luego llama a nilfs_bmap_lookup_contig(), pero si falla debido a la corrupci\u00f3n de metadatos, se llama a __nilfs_error() desde nilfs_bmap_convert_error() dentro de la secci\u00f3n de bloqueo. Dado que __nilfs_error() llama a nilfs_set_error() a menos que el sistema de archivos sea de solo lectura y nilfs_set_error() intente bloquear la escritura de rwsem B (= nilfs-&gt;ns_sem) para reescribir exclusivamente el superbloque, la adquisici\u00f3n del bloqueo jer\u00e1rquico se produce en el orden rwsem A -&gt; rwsem B. Ahora bien, si otra tarea comienza a actualizar el superbloque, puede bloquear la escritura de rwsem B durante la secuencia de bloqueo anterior y puede bloquearse al intentar bloquear la lectura de rwsem A en nilfs_count_free_blocks(). Sin embargo, no es necesario tomar rwsem A en nilfs_count_free_blocks() porque, dentro de la secci\u00f3n de bloqueo, solo lee un \u00fanico dato entero en una estructura compartida con nilfs_sufile_get_ncleansegs(). Esto ha sucedido despu\u00e9s del commit aa474a220180 (\"nilfs2: a\u00f1adir variable local para almacenar en cach\u00e9 el n\u00famero de segmentos limpios\"), incluso antes de que se introdujera este error. Por lo tanto, esto resuelve el problema de interbloqueo simplemente eliminando el sem\u00e1foro en nilfs_count_free_blocks()."}], "lastModified": "2025-05-07T13:32:23.093", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D036C92F-D89C-426E-949E-DCDB2F1458DB", "versionEndExcluding": "4.9.334", "versionStartIncluding": "2.6.38"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "424802D2-E9E7-48A9-AD6F-DF2227B3D83A", "versionEndExcluding": "4.14.300", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5C69A12-68E2-400E-9A5A-375A673C8402", "versionEndExcluding": "4.19.267", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94D21814-3051-4860-AB06-C7880A3D4933", "versionEndExcluding": "5.4.225", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "172AC75C-0949-4468-9C58-64E2893EF0CE", "versionEndExcluding": "5.10.155", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39DC45D8-E30E-4F4A-9332-393B7BCF6900", "versionEndExcluding": "5.15.79", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3F26709-7D49-4AF0-8145-46CCF4E8E2AD", "versionEndExcluding": "6.0.9", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}