CVE-2022-48733

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix use-after-free after failure to create a snapshot<br /> <br /> At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and<br /> then attach it to the transaction&amp;#39;s list of pending snapshots. After that<br /> we call btrfs_commit_transaction(), and if that returns an error we jump<br /> to &amp;#39;fail&amp;#39; label, where we kfree() the pending snapshot structure. This can<br /> result in a later use-after-free of the pending snapshot:<br /> <br /> 1) We allocated the pending snapshot and added it to the transaction&amp;#39;s<br /> list of pending snapshots;<br /> <br /> 2) We call btrfs_commit_transaction(), and it fails either at the first<br /> call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().<br /> In both cases, we don&amp;#39;t abort the transaction and we release our<br /> transaction handle. We jump to the &amp;#39;fail&amp;#39; label and free the pending<br /> snapshot structure. We return with the pending snapshot still in the<br /> transaction&amp;#39;s list;<br /> <br /> 3) Another task commits the transaction. This time there&amp;#39;s no error at<br /> all, and then during the transaction commit it accesses a pointer<br /> to the pending snapshot structure that the snapshot creation task<br /> has already freed, resulting in a user-after-free.<br /> <br /> This issue could actually be detected by smatch, which produced the<br /> following warning:<br /> <br /> fs/btrfs/ioctl.c:843 create_snapshot() warn: &amp;#39;&amp;pending_snapshot-&gt;list&amp;#39; not removed from list<br /> <br /> So fix this by not having the snapshot creation ioctl directly add the<br /> pending snapshot to the transaction&amp;#39;s list. Instead add the pending<br /> snapshot to the transaction handle, and then at btrfs_commit_transaction()<br /> we add the snapshot to the list only when we can guarantee that any error<br /> returned after that point will result in a transaction abort, in which<br /> case the ioctl code can safely free the pending snapshot and no one can<br /> access it anymore.