CVE-2022-50456

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix resolving backrefs for inline extent followed by prealloc<br /> <br /> If a file consists of an inline extent followed by a regular or prealloc<br /> extent, then a legitimate attempt to resolve a logical address in the<br /> non-inline region will result in add_all_parents reading the invalid<br /> offset field of the inline extent. If the inline extent item is placed<br /> in the leaf eb s.t. it is the first item, attempting to access the<br /> offset field will not only be meaningless, it will go past the end of<br /> the eb and cause this panic:<br /> <br /> [17.626048] BTRFS warning (device dm-2): bad eb member end: ptr 0x3fd4 start 30834688 member offset 16377 size 8<br /> [17.631693] general protection fault, probably for non-canonical address 0x5088000000000: 0000 [#1] SMP PTI<br /> [17.635041] CPU: 2 PID: 1267 Comm: btrfs Not tainted 5.12.0-07246-g75175d5adc74-dirty #199<br /> [17.637969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br /> [17.641995] RIP: 0010:btrfs_get_64+0xe7/0x110<br /> [17.649890] RSP: 0018:ffffc90001f73a08 EFLAGS: 00010202<br /> [17.651652] RAX: 0000000000000001 RBX: ffff88810c42d000 RCX: 0000000000000000<br /> [17.653921] RDX: 0005088000000000 RSI: ffffc90001f73a0f RDI: 0000000000000001<br /> [17.656174] RBP: 0000000000000ff9 R08: 0000000000000007 R09: c0000000fffeffff<br /> [17.658441] R10: ffffc90001f73790 R11: ffffc90001f73788 R12: ffff888106afe918<br /> [17.661070] R13: 0000000000003fd4 R14: 0000000000003f6f R15: cdcdcdcdcdcdcdcd<br /> [17.663617] FS: 00007f64e7627d80(0000) GS:ffff888237c80000(0000) knlGS:0000000000000000<br /> [17.666525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [17.668664] CR2: 000055d4a39152e8 CR3: 000000010c596002 CR4: 0000000000770ee0<br /> [17.671253] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [17.673634] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [17.676034] PKRU: 55555554<br /> [17.677004] Call Trace:<br /> [17.677877] add_all_parents+0x276/0x480<br /> [17.679325] find_parent_nodes+0xfae/0x1590<br /> [17.680771] btrfs_find_all_leafs+0x5e/0xa0<br /> [17.682217] iterate_extent_inodes+0xce/0x260<br /> [17.683809] ? btrfs_inode_flags_to_xflags+0x50/0x50<br /> [17.685597] ? iterate_inodes_from_logical+0xa1/0xd0<br /> [17.687404] iterate_inodes_from_logical+0xa1/0xd0<br /> [17.689121] ? btrfs_inode_flags_to_xflags+0x50/0x50<br /> [17.691010] btrfs_ioctl_logical_to_ino+0x131/0x190<br /> [17.692946] btrfs_ioctl+0x104a/0x2f60<br /> [17.694384] ? selinux_file_ioctl+0x182/0x220<br /> [17.695995] ? __x64_sys_ioctl+0x84/0xc0<br /> [17.697394] __x64_sys_ioctl+0x84/0xc0<br /> [17.698697] do_syscall_64+0x33/0x40<br /> [17.700017] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [17.701753] RIP: 0033:0x7f64e72761b7<br /> [17.709355] RSP: 002b:00007ffefb067f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [17.712088] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f64e72761b7<br /> [17.714667] RDX: 00007ffefb067fb0 RSI: 00000000c0389424 RDI: 0000000000000003<br /> [17.717386] RBP: 00007ffefb06d188 R08: 000055d4a390d2b0 R09: 00007f64e7340a60<br /> [17.719938] R10: 0000000000000231 R11: 0000000000000246 R12: 0000000000000001<br /> [17.722383] R13: 0000000000000000 R14: 00000000c0389424 R15: 000055d4a38fd2a0<br /> [17.724839] Modules linked in:<br /> <br /> Fix the bug by detecting the inline extent item in add_all_parents and<br /> skipping to the next extent item.