cve/published/2022/CVE-2022-49849.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49849: btrfs: fix match incorrectly in dev_args_match_device

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 btrfs: fix match incorrectly in dev_args_match_device

 syzkaller found a failed assertion:

   assertion failed: (args->devid != (u64)-1) || args->missing, in fs/btrfs/volumes.c:6921

 This can be triggered when we set devid to (u64)-1 by ioctl. In this
 case, the match of devid will be skipped and the match of device may
 succeed incorrectly.

 Patch 562d7b1512f7 introduced this function which is used to match device.
 This function contains two matching scenarios, we can distinguish them by
 checking the value of args->missing rather than check whether args->devid
 and args->uuid is default value.

 The Linux kernel CVE team has assigned CVE-2022-49849 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.54 with commit 5578b681fbf2b22d61189a2539efd3009518b328 and fixed in 5.15.79 with commit c9fe4719c662e0af17eea723cf345e37719fd3c9
 	Issue introduced in 5.16 with commit 562d7b1512f7369a19bca2883e2e8672d78f0481 and fixed in 6.0.9 with commit bc6c127c377010f136360552ebf91c2723081c1b
 	Issue introduced in 5.16 with commit 562d7b1512f7369a19bca2883e2e8672d78f0481 and fixed in 6.1 with commit 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49849
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/btrfs/volumes.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c9fe4719c662e0af17eea723cf345e37719fd3c9
 	https://git.kernel.org/stable/c/bc6c127c377010f136360552ebf91c2723081c1b
 	https://git.kernel.org/stable/c/0fca385d6ebc3cabb20f67bcf8a71f1448bdc001
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49849: btrfs: fix match incorrectly in dev_args_match_device

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	btrfs: fix match incorrectly in dev_args_match_device

	syzkaller found a failed assertion:

	assertion failed: (args->devid != (u64)-1) \|\| args->missing, in fs/btrfs/volumes.c:6921

	This can be triggered when we set devid to (u64)-1 by ioctl. In this
	case, the match of devid will be skipped and the match of device may
	succeed incorrectly.

	Patch 562d7b1512f7 introduced this function which is used to match device.
	This function contains two matching scenarios, we can distinguish them by
	checking the value of args->missing rather than check whether args->devid
	and args->uuid is default value.

	The Linux kernel CVE team has assigned CVE-2022-49849 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.54 with commit 5578b681fbf2b22d61189a2539efd3009518b328 and fixed in 5.15.79 with commit c9fe4719c662e0af17eea723cf345e37719fd3c9
	Issue introduced in 5.16 with commit 562d7b1512f7369a19bca2883e2e8672d78f0481 and fixed in 6.0.9 with commit bc6c127c377010f136360552ebf91c2723081c1b
	Issue introduced in 5.16 with commit 562d7b1512f7369a19bca2883e2e8672d78f0481 and fixed in 6.1 with commit 0fca385d6ebc3cabb20f67bcf8a71f1448bdc001

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49849
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/btrfs/volumes.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c9fe4719c662e0af17eea723cf345e37719fd3c9
	https://git.kernel.org/stable/c/bc6c127c377010f136360552ebf91c2723081c1b
	https://git.kernel.org/stable/c/0fca385d6ebc3cabb20f67bcf8a71f1448bdc001