| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022653-CVE-2022-49414-5693@gregkh>
Date: Wed, 26 Feb 2025 03:11:28 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49414: ext4: fix race condition between ext4_write and ext4_convert_inline_data
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix race condition between ext4_write and ext4_convert_inline_data
Hulk Robot reported a BUG_ON:
==================================================================
EXT4-fs error (device loop3): ext4_mb_generate_buddy:805: group 0,
block bitmap and bg descriptor inconsistent: 25 vs 31513 free clusters
kernel BUG at fs/ext4/ext4_jbd2.c:53!
invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 PID: 25371 Comm: syz-executor.3 Not tainted 5.10.0+ #1
RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]
RIP: 0010:__ext4_journal_stop+0x10e/0x110 fs/ext4/ext4_jbd2.c:116
[...]
Call Trace:
ext4_write_inline_data_end+0x59a/0x730 fs/ext4/inline.c:795
generic_perform_write+0x279/0x3c0 mm/filemap.c:3344
ext4_buffered_write_iter+0x2e3/0x3d0 fs/ext4/file.c:270
ext4_file_write_iter+0x30a/0x11c0 fs/ext4/file.c:520
do_iter_readv_writev+0x339/0x3c0 fs/read_write.c:732
do_iter_write+0x107/0x430 fs/read_write.c:861
vfs_writev fs/read_write.c:934 [inline]
do_pwritev+0x1e5/0x380 fs/read_write.c:1031
[...]
==================================================================
Above issue may happen as follows:
cpu1 cpu2
__________________________|__________________________
do_pwritev
vfs_writev
do_iter_write
ext4_file_write_iter
ext4_buffered_write_iter
generic_perform_write
ext4_da_write_begin
vfs_fallocate
ext4_fallocate
ext4_convert_inline_data
ext4_convert_inline_data_nolock
ext4_destroy_inline_data_nolock
clear EXT4_STATE_MAY_INLINE_DATA
ext4_map_blocks
ext4_ext_map_blocks
ext4_mb_new_blocks
ext4_mb_regular_allocator
ext4_mb_good_group_nolock
ext4_mb_init_group
ext4_mb_init_cache
ext4_mb_generate_buddy --> error
ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
ext4_restore_inline_data
set EXT4_STATE_MAY_INLINE_DATA
ext4_block_write_begin
ext4_da_write_end
ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)
ext4_write_inline_data_end
handle=NULL
ext4_journal_stop(handle)
__ext4_journal_stop
ext4_put_nojournal(handle)
ref_cnt = (unsigned long)handle
BUG_ON(ref_cnt == 0) ---> BUG_ON
The lock held by ext4_convert_inline_data is xattr_sem, but the lock
held by generic_perform_write is i_rwsem. Therefore, the two locks can
be concurrent.
To solve above issue, we add inode_lock() for ext4_convert_inline_data().
At the same time, move ext4_convert_inline_data() in front of
ext4_punch_hole(), remove similar handling from ext4_punch_hole().
The Linux kernel CVE team has assigned CVE-2022-49414 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.8 with commit 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf and fixed in 5.4.207 with commit 18881d7e517169193d9ef6c89c7f322e3e164277
Issue introduced in 3.8 with commit 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf and fixed in 5.10.132 with commit 91f90b571f1a23f5b8a9c2b68a9aa5d6981a3c3d
Issue introduced in 3.8 with commit 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf and fixed in 5.15.46 with commit 14602353b350950b551eccc6b46411aa3b12ffe2
Issue introduced in 3.8 with commit 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf and fixed in 5.17.14 with commit 725e00cb7039eae291890f1bb19bc867176745f6
Issue introduced in 3.8 with commit 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf and fixed in 5.18.3 with commit ccc6639f831bee91aa8b41c8a1cdd020ecfb9f32
Issue introduced in 3.8 with commit 0c8d414f163f5d35e43a4de7a6e5ee8c253fcccf and fixed in 5.19 with commit f87c7a4b084afc13190cbb263538e444cb2b392a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49414
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/ext4/extents.c
fs/ext4/inode.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/18881d7e517169193d9ef6c89c7f322e3e164277
https://git.kernel.org/stable/c/91f90b571f1a23f5b8a9c2b68a9aa5d6981a3c3d
https://git.kernel.org/stable/c/14602353b350950b551eccc6b46411aa3b12ffe2
https://git.kernel.org/stable/c/725e00cb7039eae291890f1bb19bc867176745f6
https://git.kernel.org/stable/c/ccc6639f831bee91aa8b41c8a1cdd020ecfb9f32
https://git.kernel.org/stable/c/f87c7a4b084afc13190cbb263538e444cb2b392a
Powered by blists - more mailing lists