CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved: erofs:
fix pcluster use-after-free on UP platforms During stress testing with
CONFIG_SMP disabled, KASAN reports as below:
================================================================== BUG:
KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr
ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not
tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS
0.5.1 01/01/2011 Call Trace: <TASK> … __mutex_lock+0xe5/0xc30 …
z_erofs_do_read_page+0x8ce/0x1560 … z_erofs_readahead+0x31c/0x580 … Freed
by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30
kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190
kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389
Last potentially related work creation: kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0
erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170
shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70
drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0
vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The
root cause is that erofs_workgroup_unfreeze() doesn’t reset to orig_val
thus it causes a race that the pcluster reuses unexpectedly before freeing.
Since UP platforms are quite rare now, such path becomes unnecessary. Let’s
drop such specific-designed path directly instead.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-57.63 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1027.31 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1027.31~20.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1030.37 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < 5.15.0-1030.37~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-fde | < 5.15.0-1030.37.1 | UNKNOWN |
git.kernel.org/linus/2f44013e39984c127c6efedf70e6b5f4e9dcf315 (6.0-rc5)
git.kernel.org/stable/c/2f44013e39984c127c6efedf70e6b5f4e9dcf315
git.kernel.org/stable/c/8ddd001cef5e82d19192e6861068463ecca5f556
git.kernel.org/stable/c/94c34faaafe7b55adc2d8d881db195b646959b9e
launchpad.net/bugs/cve/CVE-2022-48674
nvd.nist.gov/vuln/detail/CVE-2022-48674
security-tracker.debian.org/tracker/CVE-2022-48674
www.cve.org/CVERecord?id=CVE-2022-48674