In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix NULL pointer dereference in nilfspalloccommitfreeentry()
Syzbot reported a null-ptr-deref bug:
NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfspalloccommitfreeentry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfsdatcommitfree fs/nilfs2/dat.c:114 [inline] nilfsdatcommitend+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfsdatcommitupdate+0x26/0x40 fs/nilfs2/dat.c:236 nilfsbtreecommitupdatev+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfsbtreecommitpropagatev fs/nilfs2/btree.c:2016 [inline] nilfsbtreepropagatev fs/nilfs2/btree.c:2046 [inline] nilfsbtreepropagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfsbmappropagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfscollectfiledata+0x45/0xd0 fs/nilfs2/segment.c:568 nilfssegctorapplybuffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfssegctorscanfile+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfssegctorcollectblocks fs/nilfs2/segment.c:1197 [inline] nilfssegctorcollect fs/nilfs2/segment.c:1503 [inline] nilfssegctordoconstruct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfssegctorconstruct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfssegctorthreadconstruct fs/nilfs2/segment.c:2487 [inline] nilfssegctorthread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 retfromfork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> ...
If DAT metadata file is corrupted on disk, there is a case where req->prdescbh is NULL and blocknr is 0 at nilfsdatcommitend() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfsdatcommitalloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfsdatprepareend() and nilfsdatcommitend().
If this happens, nilfsdatcommitend() calls nilfsdatcommitfree() without valid buffer heads in req->prdescbh and req->prbitmapbh, and causes the NULL pointer dereference above in nilfspalloccommitfreeentry() function, which leads to a crash.
Fix this by adding a NULL check on req->prdescbh and req->prbitmapbh before nilfspalloccommitfreeentry() in nilfsdatcommit_free().
This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@165c7a3b27a3857ebf57f626b9f38b48b6792e68", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-058f9b26", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2f2c59506ae39496588ceb8b88bdbdbaed895d63", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-1656639f", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a130b72e6bd1fb07fc3cde839dc6fb53da76f07", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-1fc0626a", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e858917ab785afe83c14f5ac141301216ccda847", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-3817656d", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2f2c59506ae39496588ceb8b88bdbdbaed895d63", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-43daa64f", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bc3fd3293887b4cf84a9109700faeb82de533c89", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-5d50c53d", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bc3fd3293887b4cf84a9109700faeb82de533c89", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-868710e4", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-8a786f40", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a130b72e6bd1fb07fc3cde839dc6fb53da76f07", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-92142694", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f0a0ccda18d6fd826d7c7e7ad48a6ed61c20f8b4", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-945eea13", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@381b84f60e549ea98cec4666c6c728b1b3318756", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-a81d24d1", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@381b84f60e549ea98cec4666c6c728b1b3318756", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-a8d8f69b", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e858917ab785afe83c14f5ac141301216ccda847", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-a934cc0f", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33021419fd81efd3d729a7f19341ba4b98fe66ce", "target": { "file": "fs/nilfs2/dat.c" }, "signature_type": "Line", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-cfe24ae8", "digest": { "line_hashes": [ "322263638380359484627035400799199006549", "32677642605141969283256912472141937703", "141223172223323274712457195388660881653", "226832774793105538149903140955772677548" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@165c7a3b27a3857ebf57f626b9f38b48b6792e68", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-e7e1fe26", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@33021419fd81efd3d729a7f19341ba4b98fe66ce", "target": { "function": "nilfs_dat_commit_free", "file": "fs/nilfs2/dat.c" }, "signature_type": "Function", "deprecated": false, "signature_version": "v1", "id": "CVE-2022-49007-f7c412fb", "digest": { "function_hash": "79181395882737280243722057232545283002", "length": 424.0 } } ]