In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix missing xas_retry() calls in xarray iteration
netfslib has a number of places in which it performs iteration of an xarray whilst being under the RCU read lock. It should call xas_retry() as the first thing inside of the loop and do "continue" if it returns true in case the xarray walker passed out a special value indicating that the walk needs to be redone from the root[*].
Fix this by adding the missing retry checks.
[*] I wonder if this should be done inside xasfind(), xasnext_node() and suchlike, but I'm told that's not an simple change to effect.
This can cause an oops like that below. Note the faulting address - this is an internal value (|0x2) returned from xarray.
BUG: kernel NULL pointer dereference, address: 0000000000000402 ... RIP: 0010:netfsrrequnlock+0xef/0x380 [netfs] ... Call Trace: netfsrreqassess+0xa6/0x240 [netfs] netfsreadpage+0x173/0x3b0 [netfs] ? initwaitvarentry+0x50/0x50 filemapreadpage+0x33/0xf0 filemapgetpages+0x2f2/0x3f0 filemapread+0xaa/0x320 ? dofilpopen+0xb2/0x150 ? rmqueue+0x3be/0xe10 cephreaditer+0x1fe/0x680 [ceph] ? newsyncread+0x115/0x1a0 newsyncread+0x115/0x1a0 vfsread+0xf3/0x180 ksysread+0x5f/0xe0 dosyscall64+0x38/0x90 entrySYSCALL64after_hwframe+0x44/0xae
ver #2) - Changed an unsigned int to a size_t to reduce the likelihood of an overflow as per Willy's suggestion. - Added an additional patch to fix the maths.
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-2ad27136",
"target": {
"file": "fs/netfs/buffered_read.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"32041236763448323049134596760215294735",
"101360373092268390583134700279932228748",
"84998093689135306465443532097221899512",
"140162646945368296730221431287157531125",
"186659782890191041575137493199793193889",
"55217904426352896351492941418217551418"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-7d8c0e07",
"target": {
"function": "netfs_rreq_unlock_folios",
"file": "fs/netfs/buffered_read.c"
},
"digest": {
"length": 1701.0,
"function_hash": "64960086076983741621304677781979921537"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-b67a841e",
"target": {
"file": "fs/netfs/io.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"196706438013368698993778113111946467770",
"1487931568068748432592337077671317350",
"1532217284170509331313661188725790774",
"89221781230092756785509775672626676449"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-d473323d",
"target": {
"function": "netfs_rreq_unlock_folios",
"file": "fs/netfs/buffered_read.c"
},
"digest": {
"length": 1701.0,
"function_hash": "64960086076983741621304677781979921537"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-e3ffe5e3",
"target": {
"function": "netfs_rreq_unmark_after_write",
"file": "fs/netfs/io.c"
},
"digest": {
"length": 514.0,
"function_hash": "8484745214304597863304458925264838268"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-e45896c1",
"target": {
"file": "fs/netfs/io.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"196706438013368698993778113111946467770",
"1487931568068748432592337077671317350",
"1532217284170509331313661188725790774",
"89221781230092756785509775672626676449"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-f0ec414b",
"target": {
"file": "fs/netfs/buffered_read.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"32041236763448323049134596760215294735",
"101360373092268390583134700279932228748",
"84998093689135306465443532097221899512",
"140162646945368296730221431287157531125",
"186659782890191041575137493199793193889",
"55217904426352896351492941418217551418"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2022-49810-f3d1feaa",
"target": {
"function": "netfs_rreq_unmark_after_write",
"file": "fs/netfs/io.c"
},
"digest": {
"length": 514.0,
"function_hash": "8484745214304597863304458925264838268"
},
"signature_type": "Function"
}
]