CVE-2022-48923

Compressed length can be corrupted to be a lot larger than memory we have allocated for buffer. This will cause memcpy in copycompressedsegment to write outside of allocated memory.

This mostly results in stuck read syscall but sometimes when using btrfs send can get #GP

kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12 kernel: Workqueue: btrfs-endio btrfsworkhelper [btrfs] kernel: RIP: 0010:lzodecompressbio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs Code starting with the faulting instruction =========================================== 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction 3: 48 8d 79 08 lea 0x8(%rcx),%rdi 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi b: 48 89 01 mov %rax,(%rcx) e: 44 89 f0 mov %r14d,%eax 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000 kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 kernel: Call Trace: kernel: <TASK> kernel: endcompressedbioread (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs kernel: endworkqueuefn (fs/btrfs/disk-io.c:1923) btrfs kernel: btrfsworkhelper (fs/btrfs/async-thread.c:326) btrfs kernel: processonework (./arch/x86/include/asm/jumplabel.h:27 ./include/linux/jumplabel.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) kernel: workerthread (./include/linux/list.h:292 kernel/workqueue.c:2455) kernel: ? processonework (kernel/workqueue.c:2397) kernel: kthread (kernel/kthread.c:377) kernel: ? kthreadcompleteandexit (kernel/kthread.c:332) kernel: retfromfork (arch/x86/entry/entry64.S:301) kernel: </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a6e66e6f8c1b685e11b778bef614480a9c1a5278

Fixed

8df508b7a44cd8110c726057cd28e8f8116885eb

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a6e66e6f8c1b685e11b778bef614480a9c1a5278

Fixed

e326bd06cdde46df952361456232022298281d16

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a6e66e6f8c1b685e11b778bef614480a9c1a5278

Fixed

741b23a970a79d5d3a1db2d64fa2c7b375a4febb

Affected versions

v5.*

v5.14

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.10

v5.16.11

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@741b23a970a79d5d3a1db2d64fa2c7b375a4febb",
            "signature_type": "Function",
            "target": {
                "function": "lzo_decompress_bio",
                "file": "fs/btrfs/lzo.c"
            },
            "deprecated": false,
            "digest": {
                "length": 1490.0,
                "function_hash": "200200297804891423182318749347431406895"
            },
            "id": "CVE-2022-48923-0363efb1"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8df508b7a44cd8110c726057cd28e8f8116885eb",
            "signature_type": "Function",
            "target": {
                "function": "lzo_decompress_bio",
                "file": "fs/btrfs/lzo.c"
            },
            "deprecated": false,
            "digest": {
                "length": 1490.0,
                "function_hash": "200200297804891423182318749347431406895"
            },
            "id": "CVE-2022-48923-50ec7eed"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e326bd06cdde46df952361456232022298281d16",
            "signature_type": "Line",
            "target": {
                "file": "fs/btrfs/lzo.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "196988102896748372861665060719274227923",
                    "305557557301121371918627803687205663735",
                    "111336107854165256972434800084165862479"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-48923-6c428fc3"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@741b23a970a79d5d3a1db2d64fa2c7b375a4febb",
            "signature_type": "Line",
            "target": {
                "file": "fs/btrfs/lzo.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "196988102896748372861665060719274227923",
                    "305557557301121371918627803687205663735",
                    "111336107854165256972434800084165862479"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-48923-a9afa687"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e326bd06cdde46df952361456232022298281d16",
            "signature_type": "Function",
            "target": {
                "function": "lzo_decompress_bio",
                "file": "fs/btrfs/lzo.c"
            },
            "deprecated": false,
            "digest": {
                "length": 1490.0,
                "function_hash": "200200297804891423182318749347431406895"
            },
            "id": "CVE-2022-48923-af33898d"
        },
        {
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8df508b7a44cd8110c726057cd28e8f8116885eb",
            "signature_type": "Line",
            "target": {
                "file": "fs/btrfs/lzo.c"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "196988102896748372861665060719274227923",
                    "305557557301121371918627803687205663735",
                    "111336107854165256972434800084165862479"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-48923-dc67c331"
        }
    ]
}

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.15.0

Fixed

5.15.26

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.12