Wind River Support Network

HomeDefectsLIN1022-9440
Fixed

LIN1022-9440 : Security Advisory - linux - CVE-2022-48733

Created: Jun 20, 2024    Updated: Jun 25, 2024
Resolved Date: Jun 24, 2024
Found In Version: 10.22.33.1
Fix Version: 10.22.33.17
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:btrfs: fix use-after-free after failure to create a snapshotAt ioctl.c:create_snapshot(), we allocate a pending snapshot structure andthen attach it to the transaction's list of pending snapshots. After thatwe call btrfs_commit_transaction(), and if that returns an error we jumpto 'fail' label, where we kfree() the pending snapshot structure. This canresult in a later use-after-free of the pending snapshot:1) We allocated the pending snapshot and added it to the transaction's   list of pending snapshots;2) We call btrfs_commit_transaction(), and it fails either at the first   call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().   In both cases, we don't abort the transaction and we release our   transaction handle. We jump to the 'fail' label and free the pending   snapshot structure. We return with the pending snapshot still in the   transaction's list;3) Another task commits the transaction. This time there's no error at   all, and then during the transaction commit it accesses a pointer   to the pending snapshot structure that the snapshot creation task   has already freed, resulting in a user-after-free.This issue could actually be detected by smatch, which produced thefollowing warning:  fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from listSo fix this by not having the snapshot creation ioctl directly add thepending snapshot to the transaction's list. Instead add the pendingsnapshot to the transaction handle, and then at btrfs_commit_transaction()we add the snapshot to the list only when we can guarantee that any errorreturned after that point will result in a transaction abort, in whichcase the ioctl code can safely free the pending snapshot and no one canaccess it anymore.

CREATE(Triage):(User=admin) CVE-2022-48733 (https://nvd.nist.gov/vuln/detail/CVE-2022-48733)

CVEs


Live chat
Online