CVE-2022-49810

netfslib has a number of places in which it performs iteration of an xarray whilst being under the RCU read lock. It should call xas_retry() as the first thing inside of the loop and do "continue" if it returns true in case the xarray walker passed out a special value indicating that the walk needs to be redone from the root[*].

Fix this by adding the missing retry checks.

[*] I wonder if this should be done inside xasfind(), xasnext_node() and suchlike, but I'm told that's not an simple change to effect.

This can cause an oops like that below. Note the faulting address - this is an internal value (|0x2) returned from xarray.

BUG: kernel NULL pointer dereference, address: 0000000000000402 ... RIP: 0010:netfsrrequnlock+0xef/0x380 [netfs] ... Call Trace: netfsrreqassess+0xa6/0x240 [netfs] netfsreadpage+0x173/0x3b0 [netfs] ? initwaitvarentry+0x50/0x50 filemapreadpage+0x33/0xf0 filemapgetpages+0x2f2/0x3f0 filemapread+0xaa/0x320 ? dofilpopen+0xb2/0x150 ? rmqueue+0x3be/0xe10 cephreaditer+0x1fe/0x680 [ceph] ? newsyncread+0x115/0x1a0 newsyncread+0x115/0x1a0 vfsread+0xf3/0x180 ksysread+0x5f/0xe0 dosyscall64+0x38/0x90 entrySYSCALL64after_hwframe+0x44/0xae

Changes:

ver #2) - Changed an unsigned int to a size_t to reduce the likelihood of an overflow as per Willy's suggestion. - Added an additional patch to fix the maths.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3d3c95046742e4eebaa4b891b0b01cbbed94ebbd

Fixed

b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3d3c95046742e4eebaa4b891b0b01cbbed94ebbd

Fixed

7e043a80b5dae5c2d2cf84031501de7827fd6c00

Affected versions

v5.*

v5.12

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "line_hashes": [
                "32041236763448323049134596760215294735",
                "101360373092268390583134700279932228748",
                "84998093689135306465443532097221899512",
                "140162646945368296730221431287157531125",
                "186659782890191041575137493199793193889",
                "55217904426352896351492941418217551418"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-2ad27136"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "function": "netfs_rreq_unlock_folios",
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "function_hash": "64960086076983741621304677781979921537",
            "length": 1701.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-7d8c0e07"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "line_hashes": [
                "196706438013368698993778113111946467770",
                "1487931568068748432592337077671317350",
                "1532217284170509331313661188725790774",
                "89221781230092756785509775672626676449"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-b67a841e"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "function": "netfs_rreq_unlock_folios",
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "function_hash": "64960086076983741621304677781979921537",
            "length": 1701.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-d473323d"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "function": "netfs_rreq_unmark_after_write",
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "function_hash": "8484745214304597863304458925264838268",
            "length": 514.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-e3ffe5e3"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "line_hashes": [
                "196706438013368698993778113111946467770",
                "1487931568068748432592337077671317350",
                "1532217284170509331313661188725790774",
                "89221781230092756785509775672626676449"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-e45896c1"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7e043a80b5dae5c2d2cf84031501de7827fd6c00",
        "target": {
            "file": "fs/netfs/buffered_read.c"
        },
        "digest": {
            "line_hashes": [
                "32041236763448323049134596760215294735",
                "101360373092268390583134700279932228748",
                "84998093689135306465443532097221899512",
                "140162646945368296730221431287157531125",
                "186659782890191041575137493199793193889",
                "55217904426352896351492941418217551418"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "id": "CVE-2022-49810-f0ec414b"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b2cc07a76f1eb12de3b22caf5fdbf856a7bef16d",
        "target": {
            "function": "netfs_rreq_unmark_after_write",
            "file": "fs/netfs/io.c"
        },
        "digest": {
            "function_hash": "8484745214304597863304458925264838268",
            "length": 514.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "id": "CVE-2022-49810-f3d1feaa"
    }
]

CVE-2022-49810

Changes:

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v5.*

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges