cve/published/2022/CVE-2022-48674.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48674: erofs: fix pcluster use-after-free on UP platforms

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 erofs: fix pcluster use-after-free on UP platforms

 During stress testing with CONFIG_SMP disabled, KASAN reports as below:

 ==================================================================
 BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30
 Read of size 8 at addr ffff8881094223f8 by task stress/7789

 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 Call Trace:
  <TASK>
 ..
  __mutex_lock+0xe5/0xc30
 ..
  z_erofs_do_read_page+0x8ce/0x1560
 ..
  z_erofs_readahead+0x31c/0x580
 ..
 Freed by task 7787
  kasan_save_stack+0x1e/0x40
  kasan_set_track+0x20/0x30
  kasan_set_free_info+0x20/0x40
  __kasan_slab_free+0x10c/0x190
  kmem_cache_free+0xed/0x380
  rcu_core+0x3d5/0xc90
  __do_softirq+0x12d/0x389

 Last potentially related work creation:
  kasan_save_stack+0x1e/0x40
  __kasan_record_aux_stack+0x97/0xb0
  call_rcu+0x3d/0x3f0
  erofs_shrink_workstation+0x11f/0x210
  erofs_shrink_scan+0xdc/0x170
  shrink_slab.constprop.0+0x296/0x530
  drop_slab+0x1c/0x70
  drop_caches_sysctl_handler+0x70/0x80
  proc_sys_call_handler+0x20a/0x2f0
  vfs_write+0x555/0x6c0
  ksys_write+0xbe/0x160
  do_syscall_64+0x3b/0x90

 The root cause is that erofs_workgroup_unfreeze() doesn't reset to
 orig_val thus it causes a race that the pcluster reuses unexpectedly
 before freeing.

 Since UP platforms are quite rare now, such path becomes unnecessary.
 Let's drop such specific-designed path directly instead.

 The Linux kernel CVE team has assigned CVE-2022-48674 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.0 with commit 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad and fixed in 5.15.68 with commit 8ddd001cef5e82d19192e6861068463ecca5f556
 	Issue introduced in 5.0 with commit 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad and fixed in 5.19.9 with commit 94c34faaafe7b55adc2d8d881db195b646959b9e
 	Issue introduced in 5.0 with commit 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad and fixed in 6.0 with commit 2f44013e39984c127c6efedf70e6b5f4e9dcf315
 	Issue introduced in 4.19.26 with commit 08ec9e6892cc792d7f8fe4d13bd8a0e91fb23488
 	Issue introduced in 4.20.13 with commit 78c46113413bea1cc345757112aa2642e0f66de5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48674
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/erofs/internal.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8ddd001cef5e82d19192e6861068463ecca5f556
 	https://git.kernel.org/stable/c/94c34faaafe7b55adc2d8d881db195b646959b9e
 	https://git.kernel.org/stable/c/2f44013e39984c127c6efedf70e6b5f4e9dcf315
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48674: erofs: fix pcluster use-after-free on UP platforms

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	erofs: fix pcluster use-after-free on UP platforms

	During stress testing with CONFIG_SMP disabled, KASAN reports as below:

	==================================================================
	BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30
	Read of size 8 at addr ffff8881094223f8 by task stress/7789

	CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3
	Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
	Call Trace:
	<TASK>
	..
	__mutex_lock+0xe5/0xc30
	..
	z_erofs_do_read_page+0x8ce/0x1560
	..
	z_erofs_readahead+0x31c/0x580
	..
	Freed by task 7787
	kasan_save_stack+0x1e/0x40
	kasan_set_track+0x20/0x30
	kasan_set_free_info+0x20/0x40
	__kasan_slab_free+0x10c/0x190
	kmem_cache_free+0xed/0x380
	rcu_core+0x3d5/0xc90
	__do_softirq+0x12d/0x389

	Last potentially related work creation:
	kasan_save_stack+0x1e/0x40
	__kasan_record_aux_stack+0x97/0xb0
	call_rcu+0x3d/0x3f0
	erofs_shrink_workstation+0x11f/0x210
	erofs_shrink_scan+0xdc/0x170
	shrink_slab.constprop.0+0x296/0x530
	drop_slab+0x1c/0x70
	drop_caches_sysctl_handler+0x70/0x80
	proc_sys_call_handler+0x20a/0x2f0
	vfs_write+0x555/0x6c0
	ksys_write+0xbe/0x160
	do_syscall_64+0x3b/0x90

	The root cause is that erofs_workgroup_unfreeze() doesn't reset to
	orig_val thus it causes a race that the pcluster reuses unexpectedly
	before freeing.

	Since UP platforms are quite rare now, such path becomes unnecessary.
	Let's drop such specific-designed path directly instead.

	The Linux kernel CVE team has assigned CVE-2022-48674 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.0 with commit 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad and fixed in 5.15.68 with commit 8ddd001cef5e82d19192e6861068463ecca5f556
	Issue introduced in 5.0 with commit 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad and fixed in 5.19.9 with commit 94c34faaafe7b55adc2d8d881db195b646959b9e
	Issue introduced in 5.0 with commit 73f5c66df3e26ab750cefcb9a3e08c71c9f79cad and fixed in 6.0 with commit 2f44013e39984c127c6efedf70e6b5f4e9dcf315
	Issue introduced in 4.19.26 with commit 08ec9e6892cc792d7f8fe4d13bd8a0e91fb23488
	Issue introduced in 4.20.13 with commit 78c46113413bea1cc345757112aa2642e0f66de5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48674
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/erofs/internal.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8ddd001cef5e82d19192e6861068463ecca5f556
	https://git.kernel.org/stable/c/94c34faaafe7b55adc2d8d881db195b646959b9e
	https://git.kernel.org/stable/c/2f44013e39984c127c6efedf70e6b5f4e9dcf315