Hide Forgot
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() and a BUG() in fs/ext4/ext4.h:2057, It is tested on 4.14 and 5.16, it randomly got segmentation faults in either systemd or other libc functions after the bug is triggered twice or more with below traces. ================================================================== [ 99.129641] BUG: KASAN: use-after-free in dx_insert_block+0xf9/0x1e0 [ 99.129678] Read of size 199528 at addr ffff88825d339028 by task tmp32/1078 [ 99.129729] CPU: 3 PID: 1078 Comm: tmp32 Not tainted 5.4.171 #1 [ 99.129730] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 99.129731] Call Trace: [ 99.129734] dump_stack+0x8b/0xb9 [ 99.129736] ? dx_insert_block+0xf9/0x1e0 [ 99.129739] print_address_description.constprop.4+0x23/0x400 [ 99.129740] ? dx_insert_block+0xf9/0x1e0 [ 99.129742] __kasan_report+0x15c/0x1e0 [ 99.129743] ? dx_insert_block+0xf9/0x1e0 [ 99.129744] kasan_report+0x10/0x20 [ 99.129746] check_memory_region+0x149/0x1a0 [ 99.129747] memmove+0x1f/0x50 [ 99.129748] dx_insert_block+0xf9/0x1e0 [ 99.129750] do_split+0x105b/0x1bf0 [ 99.129754] ? ext4_rename_dir_finish+0x820/0x820 [ 99.129755] ext4_dx_add_entry+0x30b/0x2a20 [ 99.129757] ? _cond_resched+0x15/0x30 [ 99.129759] ? __getblk_gfp+0x35/0x7f0 [ 99.129760] ? add_dirent_to_buf+0x630/0x630 [ 99.129761] ? memset+0x1f/0x40 [ 99.129763] ? fscrypt_setup_filename+0x32/0xce0 [ 99.129765] ? ext4_getblk+0x127/0x3d0 [ 99.129766] ? do_syscall_64+0x9a/0x390 [ 99.129768] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129769] ? ext4_iomap_begin+0xf10/0xf10 [ 99.129771] ? add_transaction_credits+0x13d/0xaf0 [ 99.129772] ? memset+0x1f/0x40 [ 99.129773] ? ext4_fname_setup_filename+0xd1/0x1f0 [ 99.129775] ? memset+0x1f/0x40 [ 99.129776] ext4_add_entry+0x6c7/0xcd0 [ 99.129778] ? make_indexed_dir+0x1130/0x1130 [ 99.129779] ? jbd2_journal_get_write_access+0xaf/0x120 [ 99.129781] ? __ext4_journal_get_write_access+0x41/0x70 [ 99.129782] ? jbd2__journal_start+0x2d6/0x760 [ 99.129784] ext4_rename+0xef9/0x1e00 [ 99.129786] ? avc_has_perm_noaudit+0x1b3/0x380 [ 99.129787] ? ext4_tmpfile+0x3a0/0x3a0 [ 99.129788] ? avc_has_extended_perms+0xe80/0xe80 [ 99.129790] ? selinux_path_notify+0x460/0x460 [ 99.129792] vfs_rename+0x84f/0x1550 [ 99.129794] ? tomoyo_cred_prepare+0xb1/0x160 [ 99.129795] ? vfs_mkdir+0x5a0/0x5a0 [ 99.129796] ? d_alloc+0x56/0x210 [ 99.129797] ? do_renameat2+0x78a/0x970 [ 99.129798] do_renameat2+0x78a/0x970 [ 99.129800] ? user_path_create+0x30/0x30 [ 99.129801] ? lockref_put_return+0xd7/0x190 [ 99.129803] ? blk_pre_runtime_suspend+0x280/0x280 [ 99.129804] ? kmem_cache_alloc+0x177/0x220 [ 99.129805] ? mnt_get_count+0x1e0/0x1e0 [ 99.129806] ? dput+0x5a/0x760 [ 99.129808] ? path_setxattr+0xb9/0x130 [ 99.129809] ? setxattr+0x240/0x240 [ 99.129810] ? __fget_light+0x55/0x1f0 [ 99.129811] ? __fget_light+0x55/0x1f0 [ 99.129813] __x64_sys_rename+0x5a/0x80 [ 99.129814] do_syscall_64+0x9a/0x390 [ 99.129815] ? prepare_exit_to_usermode+0xec/0x1a0 [ 99.129817] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129819] RIP: 0033:0x7f8665863639
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2076153]
FWIW a non-c reproducer is a little easier to see what's going on, it's just 2 renames that triggers it I think: #/bin/bash mkdir -p mnt mount -o loop tmp32.img mnt mv mnt/foo/bar mnt/foo/YzoUYCy4vTth45i7MwqQdVlwdwIxJa0qYmI4yG8uk1Zo4GtQAhonCZhnTxknXib3Ut7T8DLqCscG8VeGCQ3Oyi9RfuCBcnC5fIYnVrdghDwqiZ4sz6ExoNPSHZbsNnx25TnZIOFz mv mnt/foo/YzoUYCy4vTth45i7MwqQdVlwdwIxJa0qYmI4yG8uk1Zo4GtQAhonCZhnTxknXib3Ut7T8DLqCscG8VeGCQ3Oyi9RfuCBcnC5fIYnVrdghDwqiZ4sz6ExoNPSHZbsNnx25TnZIOFz mnt/foo/AIdkBBulG0Pp5lbVEIax6ccJGGdV4R1Cjextprc4p1tvlUQzkzuqbX7rnkMp9L0r0xinmKrcKkV5Ct4xsylTTtIEbc2ly2cwxIjjabLuJqxWkzTcyE4P5KehxeStg2pdKYMu7gnPWkvEkMpgYr3eBhL6Jlzxlma3JvvObin5RgI927pZwsD7YWEpFBn0wN1FGwdpdPt45BB6GyfAqqHMMTCZdxZZIaoZUPM7oF umount mnt
This was fixed for Fedora with the 5.17.14 stable kernel updates.
(In reply to Justin M. Forbes from comment #12) > This was fixed for Fedora with the 5.17.14 stable kernel updates. Was it? Because it's still reproducible on the recent upstream kernel. What Fedora version are we talking about so that I can test it myselt? -Lukas
Just out of curiosity I've tried kernel 5.17.15 and it's also reproducible so I don't think this has been fixed in Fedora, not even by coincidence. You might be mistaking it with some other bug.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267
This comment was flagged a spam, view the edit history to see the original text if required.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1184
Why are not other Red Hat products such as Red Hat Enterprise Linux 7 mentioned on this CVE? It appears from the comments that it was not tested, making it unknown. I am accustomed to seeing CVEs with the full list of products saying whether or not they were affected.