Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49068

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
14/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: release correct delalloc amount in direct IO write path<br /> <br /> Running generic/406 causes the following WARNING in btrfs_destroy_inode()<br /> which tells there are outstanding extents left.<br /> <br /> In btrfs_get_blocks_direct_write(), we reserve a temporary outstanding<br /> extents with btrfs_delalloc_reserve_metadata() (or indirectly from<br /> btrfs_delalloc_reserve_space(()). We then release the outstanding extents<br /> with btrfs_delalloc_release_extents(). However, the "len" can be modified<br /> in the COW case, which releases fewer outstanding extents than expected.<br /> <br /> Fix it by calling btrfs_delalloc_release_extents() for the original length.<br /> <br /> To reproduce the warning, the filesystem should be 1 GiB. It&amp;#39;s<br /> triggering a short-write, due to not being able to allocate a large<br /> extent and instead allocating a smaller one.<br /> <br /> WARNING: CPU: 0 PID: 757 at fs/btrfs/inode.c:8848 btrfs_destroy_inode+0x1e6/0x210 [btrfs]<br /> Modules linked in: btrfs blake2b_generic xor lzo_compress<br /> lzo_decompress raid6_pq zstd zstd_decompress zstd_compress xxhash zram<br /> zsmalloc<br /> CPU: 0 PID: 757 Comm: umount Not tainted 5.17.0-rc8+ #101<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014<br /> RIP: 0010:btrfs_destroy_inode+0x1e6/0x210 [btrfs]<br /> RSP: 0018:ffffc9000327bda8 EFLAGS: 00010206<br /> RAX: 0000000000000000 RBX: ffff888100548b78 RCX: 0000000000000000<br /> RDX: 0000000000026900 RSI: 0000000000000000 RDI: ffff888100548b78<br /> RBP: ffff888100548940 R08: 0000000000000000 R09: ffff88810b48aba8<br /> R10: 0000000000000001 R11: ffff8881004eb240 R12: ffff88810b48a800<br /> R13: ffff88810b48ec08 R14: ffff88810b48ed00 R15: ffff888100490c68<br /> FS: 00007f8549ea0b80(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f854a09e733 CR3: 000000010a2e9003 CR4: 0000000000370eb0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> destroy_inode+0x33/0x70<br /> dispose_list+0x43/0x60<br /> evict_inodes+0x161/0x1b0<br /> generic_shutdown_super+0x2d/0x110<br /> kill_anon_super+0xf/0x20<br /> btrfs_kill_super+0xd/0x20 [btrfs]<br /> deactivate_locked_super+0x27/0x90<br /> cleanup_mnt+0x12c/0x180<br /> task_work_run+0x54/0x80<br /> exit_to_user_mode_prepare+0x152/0x160<br /> syscall_exit_to_user_mode+0x12/0x30<br /> do_syscall_64+0x42/0x80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f854a000fb7

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.27 (including) 5.15.35 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16.13 (including) 5.17.4 (excluding)
cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.18:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools