Debian: CVE-2022-48919: linux -- security update

Debian: CVE-2022-48919: linux -- security update

Severity

7

CVSS

(AV:L/AC:L/Au:S/C:C/I:C/A:C)

Published

08/22/2024

Created

08/24/2024

Added

08/23/2024

Modified

01/28/2025

Description

In the Linux kernel, the following vulnerability has been resolved: cifs: fix double free race when mount fails in cifs_get_root() When cifs_get_root() fails during cifs_smb3_do_mount() we call deactivate_locked_super() which eventually will call delayed_free() which will free the context. In this situation we should not proceed to enter the out: section in cifs_smb3_do_mount() and free the same resources a second time. [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0 [Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022]<IRQ> [Thu Feb 10 12:59:06 2022]dump_stack_lvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022]print_address_description.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022]? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022]kasan_report.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022]? rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022]__asan_load8+0x86/0xa0 [Thu Feb 10 12:59:06 2022]rcu_cblist_dequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022]rcu_core+0x547/0xca0 [Thu Feb 10 12:59:06 2022]? call_rcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022]? __this_cpu_preempt_check+0x13/0x20 [Thu Feb 10 12:59:06 2022]? lock_is_held_type+0xea/0x140 [Thu Feb 10 12:59:06 2022]rcu_core_si+0xe/0x10 [Thu Feb 10 12:59:06 2022]__do_softirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022]__irq_exit_rcu+0x100/0x150 [Thu Feb 10 12:59:06 2022]irq_exit_rcu+0xe/0x30 [Thu Feb 10 12:59:06 2022]sysvec_hyperv_stimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022]kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022]kasan_set_track+0x25/0x30 [Thu Feb 10 12:59:07 2022]kasan_set_free_info+0x24/0x40 [Thu Feb 10 12:59:07 2022]____kasan_slab_free+0x137/0x170 [Thu Feb 10 12:59:07 2022]__kasan_slab_free+0x12/0x20 [Thu Feb 10 12:59:07 2022]slab_free_freelist_hook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022]kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022]cifs_smb3_do_mount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022]smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022]vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022]path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022]__x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022]do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022]entry_SYSCALL_64_after_hwframe+0x44/0xae [Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022]kasan_save_stack+0x26/0x50 [Thu Feb 10 12:59:07 2022]__kasan_record_aux_stack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022]kasan_record_aux_stack_noalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022]call_rcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022]cifs_umount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022]cifs_kill_sb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022]deactivate_locked_super+0x5d/0xd0 [Thu Feb 10 12:59:07 2022]cifs_smb3_do_mount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022]smb3_get_tree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022]vfs_get_tree+0x52/0x140 [Thu Feb 10 12:59:07 2022]path_mount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022]__x64_sys_mount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022]do_syscall_64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022]entry_SYSCALL_64_after_hwframe+0x44/0xae

Solution(s)

• debian-upgrade-linux

References

• https://attackerkb.com/topics/cve-2022-48919
• CVE - 2022-48919