Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48833

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/07/2024
Last modified:
07/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: skip reserved bytes warning on unmount after log cleanup failure<br /> <br /> After the recent changes made by commit c2e39305299f01 ("btrfs: clear<br /> extent buffer uptodate when we fail to write it") and its followup fix,<br /> commit 651740a5024117 ("btrfs: check WRITE_ERR when trying to read an<br /> extent buffer"), we can now end up not cleaning up space reservations of<br /> log tree extent buffers after a transaction abort happens, as well as not<br /> cleaning up still dirty extent buffers.<br /> <br /> This happens because if writeback for a log tree extent buffer failed,<br /> then we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer<br /> and we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,<br /> when trying to free the log tree with free_log_tree(), which iterates<br /> over the tree, we can end up getting an -EIO error when trying to read<br /> a node or a leaf, since read_extent_buffer_pages() returns -EIO if an<br /> extent buffer does not have EXTENT_BUFFER_UPTODATE set and has the<br /> EXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return<br /> immediately as we can not iterate over the entire tree.<br /> <br /> In that case we never update the reserved space for an extent buffer in<br /> the respective block group and space_info object.<br /> <br /> When this happens we get the following traces when unmounting the fs:<br /> <br /> [174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure<br /> [174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure<br /> [174957.399379] ------------[ cut here ]------------<br /> [174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]<br /> [174957.407523] Modules linked in: btrfs overlay dm_zero (...)<br /> [174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1<br /> [174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br /> [174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]<br /> [174957.429717] Code: 21 48 8b bd (...)<br /> [174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206<br /> [174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8<br /> [174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000<br /> [174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000<br /> [174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148<br /> [174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100<br /> [174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000<br /> [174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0<br /> [174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [174957.443948] Call Trace:<br /> [174957.444264] <br /> [174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]<br /> [174957.445238] close_ctree+0x301/0x357 [btrfs]<br /> [174957.445803] ? call_rcu+0x16c/0x290<br /> [174957.446250] generic_shutdown_super+0x74/0x120<br /> [174957.446832] kill_anon_super+0x14/0x30<br /> [174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]<br /> [174957.447890] deactivate_locked_super+0x31/0xa0<br /> [174957.448440] cleanup_mnt+0x147/0x1c0<br /> [174957.448888] task_work_run+0x5c/0xa0<br /> [174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0<br /> [174957.449934] syscall_exit_to_user_mode+0x16/0x40<br /> [174957.450512] do_syscall_64+0x48/0xc0<br /> [174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [174957.451605] RIP: 0033:0x7f328fdc4a97<br /> [174957.452059] Code: 03 0c 00 f7 (...)<br /> [174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6<br /> [174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97<br /> [174957.456131] RDX: 0000000000000000 RSI: 00000000000000<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.165 (including) 5.5 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.85 (including) 5.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.8 (including) 5.15.31 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.11 (including) 5.16 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16.1 (including) 5.16.17 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.18 (including) 5.17 (excluding)
cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.16:rc8:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools