| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122453-CVE-2022-50755-f5d8@gregkh> Date: Wed, 24 Dec 2025 14:06:06 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50755: udf: Avoid double brelse() in udf_rename() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: udf: Avoid double brelse() in udf_rename() syzbot reported a warning like below [1]: VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 ... Call Trace: <TASK> invalidate_bh_lru+0x99/0x150 smp_call_function_many_cond+0xe2a/0x10c0 ? generic_remap_file_range_prep+0x50/0x50 ? __brelse+0xa0/0xa0 ? __mutex_lock+0x21c/0x12d0 ? smp_call_on_cpu+0x250/0x250 ? rcu_read_lock_sched_held+0xb/0x60 ? lock_release+0x587/0x810 ? __brelse+0xa0/0xa0 ? generic_remap_file_range_prep+0x50/0x50 on_each_cpu_cond_mask+0x3c/0x80 blkdev_flush_mapping+0x13a/0x2f0 blkdev_put_whole+0xd3/0xf0 blkdev_put+0x222/0x760 deactivate_locked_super+0x96/0x160 deactivate_super+0xda/0x100 cleanup_mnt+0x222/0x3d0 task_work_run+0x149/0x240 ? task_work_cancel+0x30/0x30 do_exit+0xb29/0x2a40 ? reacquire_held_locks+0x4a0/0x4a0 ? do_raw_spin_lock+0x12a/0x2b0 ? mm_update_next_owner+0x7c0/0x7c0 ? rwlock_bug.part.0+0x90/0x90 ? zap_other_threads+0x234/0x2d0 do_group_exit+0xd0/0x2a0 __x64_sys_exit_group+0x3a/0x50 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that brelse() is called on both ofibh.sbh and ofibh.ebh by udf_find_entry() when it returns NULL. However, brelse() is called by udf_rename(), too. So, b_count on buffer_head becomes unbalanced. This patch fixes the issue by not calling brelse() by udf_rename() when udf_find_entry() returns NULL. The Linux kernel CVE team has assigned CVE-2022-50755 to this issue. Affected and fixed versions =========================== Fixed in 4.9.337 with commit 78eba2778ae10fb2a9d450e14d26eb6f6bf1f906 Fixed in 4.14.303 with commit 9d2cad69547abea961fa80426d600b861de1952b Fixed in 4.19.270 with commit d6da7ec0f94f5208c848e0e94b70f54a0bd9c587 Fixed in 5.4.229 with commit 156d440dea97deada629bb51cb17887abd862605 Fixed in 5.10.163 with commit 40dba68d418237b1ae2beaa06d46a94dd946278e Fixed in 5.15.86 with commit e7a6a53c871460727be09f4414ccb29fb8697526 Fixed in 6.0.16 with commit 4fca09045509f5bde8fc28e68fbca38cb4bdcf2e Fixed in 6.1.2 with commit 090bf49833c51da297ec74f98ad2bf44daea9311 Fixed in 6.2 with commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50755 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/udf/namei.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/78eba2778ae10fb2a9d450e14d26eb6f6bf1f906 https://git.kernel.org/stable/c/9d2cad69547abea961fa80426d600b861de1952b https://git.kernel.org/stable/c/d6da7ec0f94f5208c848e0e94b70f54a0bd9c587 https://git.kernel.org/stable/c/156d440dea97deada629bb51cb17887abd862605 https://git.kernel.org/stable/c/40dba68d418237b1ae2beaa06d46a94dd946278e https://git.kernel.org/stable/c/e7a6a53c871460727be09f4414ccb29fb8697526 https://git.kernel.org/stable/c/4fca09045509f5bde8fc28e68fbca38cb4bdcf2e https://git.kernel.org/stable/c/090bf49833c51da297ec74f98ad2bf44daea9311 https://git.kernel.org/stable/c/c791730f2554a9ebb8f18df9368dc27d4ebc38c2
Powered by blists - more mailing lists