In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix missing xas_retry() calls in xarray iteration
netfslib has a number of places in which it performs iteration of an xarray whilst being under the RCU read lock. It should call xas_retry() as the first thing inside of the loop and do "continue" if it returns true in case the xarray walker passed out a special value indicating that the walk needs to be redone from the root[*].
Fix this by adding the missing retry checks.
[*] I wonder if this should be done inside xasfind(), xasnext_node() and suchlike, but I'm told that's not an simple change to effect.
This can cause an oops like that below. Note the faulting address - this is an internal value (|0x2) returned from xarray.
BUG: kernel NULL pointer dereference, address: 0000000000000402 ... RIP: 0010:netfsrrequnlock+0xef/0x380 [netfs] ... Call Trace: netfsrreqassess+0xa6/0x240 [netfs] netfsreadpage+0x173/0x3b0 [netfs] ? initwaitvarentry+0x50/0x50 filemapreadpage+0x33/0xf0 filemapgetpages+0x2f2/0x3f0 filemapread+0xaa/0x320 ? dofilpopen+0xb2/0x150 ? rmqueue+0x3be/0xe10 cephreaditer+0x1fe/0x680 [ceph] ? newsyncread+0x115/0x1a0 newsyncread+0x115/0x1a0 vfsread+0xf3/0x180 ksysread+0x5f/0xe0 dosyscall64+0x38/0x90 entrySYSCALL64after_hwframe+0x44/0xae
ver #2) - Changed an unsigned int to a size_t to reduce the likelihood of an overflow as per Willy's suggestion. - Added an additional patch to fix the maths.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d", "target": { "file": "fs/netfs/buffered_read.c" }, "digest": { "line_hashes": [ "32041236763448323049134596760215294735", "101360373092268390583134700279932228748", "84998093689135306465443532097221899512", "140162646945368296730221431287157531125", "186659782890191041575137493199793193889", "55217904426352896351492941418217551418" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "signature_version": "v1", "id": "CVE-2022-49810-2ad27136" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00", "target": { "function": "netfs_rreq_unlock_folios", "file": "fs/netfs/buffered_read.c" }, "digest": { "function_hash": "64960086076983741621304677781979921537", "length": 1701.0 }, "deprecated": false, "signature_type": "Function", "signature_version": "v1", "id": "CVE-2022-49810-7d8c0e07" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00", "target": { "file": "fs/netfs/io.c" }, "digest": { "line_hashes": [ "196706438013368698993778113111946467770", "1487931568068748432592337077671317350", "1532217284170509331313661188725790774", "89221781230092756785509775672626676449" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "signature_version": "v1", "id": "CVE-2022-49810-b67a841e" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d", "target": { "function": "netfs_rreq_unlock_folios", "file": "fs/netfs/buffered_read.c" }, "digest": { "function_hash": "64960086076983741621304677781979921537", "length": 1701.0 }, "deprecated": false, "signature_type": "Function", "signature_version": "v1", "id": "CVE-2022-49810-d473323d" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00", "target": { "function": "netfs_rreq_unmark_after_write", "file": "fs/netfs/io.c" }, "digest": { "function_hash": "8484745214304597863304458925264838268", "length": 514.0 }, "deprecated": false, "signature_type": "Function", "signature_version": "v1", "id": "CVE-2022-49810-e3ffe5e3" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d", "target": { "file": "fs/netfs/io.c" }, "digest": { "line_hashes": [ "196706438013368698993778113111946467770", "1487931568068748432592337077671317350", "1532217284170509331313661188725790774", "89221781230092756785509775672626676449" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "signature_version": "v1", "id": "CVE-2022-49810-e45896c1" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00", "target": { "file": "fs/netfs/buffered_read.c" }, "digest": { "line_hashes": [ "32041236763448323049134596760215294735", "101360373092268390583134700279932228748", "84998093689135306465443532097221899512", "140162646945368296730221431287157531125", "186659782890191041575137493199793193889", "55217904426352896351492941418217551418" ], "threshold": 0.9 }, "deprecated": false, "signature_type": "Line", "signature_version": "v1", "id": "CVE-2022-49810-f0ec414b" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d", "target": { "function": "netfs_rreq_unmark_after_write", "file": "fs/netfs/io.c" }, "digest": { "function_hash": "8484745214304597863304458925264838268", "length": 514.0 }, "deprecated": false, "signature_type": "Function", "signature_version": "v1", "id": "CVE-2022-49810-f3d1feaa" } ]