CVE-2022-1184: Use After Free
First published: Wed Mar 30 2022(Updated: )
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() and a BUG() in fs/ext4/ext4.h:2057, It is tested on 4.14 and 5.16, it randomly got segmentation faults in either systemd or other libc functions after the bug is triggered twice or more with below traces. ================================================================== [ 99.129641] BUG: KASAN: use-after-free in dx_insert_block+0xf9/0x1e0 [ 99.129678] Read of size 199528 at addr ffff88825d339028 by task tmp32/1078 [ 99.129729] CPU: 3 PID: 1078 Comm: tmp32 Not tainted 5.4.171 #1 [ 99.129730] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 99.129731] Call Trace: [ 99.129734] dump_stack+0x8b/0xb9 [ 99.129736] ? dx_insert_block+0xf9/0x1e0 [ 99.129739] print_address_description.constprop.4+0x23/0x400 [ 99.129740] ? dx_insert_block+0xf9/0x1e0 [ 99.129742] __kasan_report+0x15c/0x1e0 [ 99.129743] ? dx_insert_block+0xf9/0x1e0 [ 99.129744] kasan_report+0x10/0x20 [ 99.129746] check_memory_region+0x149/0x1a0 [ 99.129747] memmove+0x1f/0x50 [ 99.129748] dx_insert_block+0xf9/0x1e0 [ 99.129750] do_split+0x105b/0x1bf0 [ 99.129754] ? ext4_rename_dir_finish+0x820/0x820 [ 99.129755] ext4_dx_add_entry+0x30b/0x2a20 [ 99.129757] ? _cond_resched+0x15/0x30 [ 99.129759] ? __getblk_gfp+0x35/0x7f0 [ 99.129760] ? add_dirent_to_buf+0x630/0x630 [ 99.129761] ? memset+0x1f/0x40 [ 99.129763] ? fscrypt_setup_filename+0x32/0xce0 [ 99.129765] ? ext4_getblk+0x127/0x3d0 [ 99.129766] ? do_syscall_64+0x9a/0x390 [ 99.129768] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129769] ? ext4_iomap_begin+0xf10/0xf10 [ 99.129771] ? add_transaction_credits+0x13d/0xaf0 [ 99.129772] ? memset+0x1f/0x40 [ 99.129773] ? ext4_fname_setup_filename+0xd1/0x1f0 [ 99.129775] ? memset+0x1f/0x40 [ 99.129776] ext4_add_entry+0x6c7/0xcd0 [ 99.129778] ? make_indexed_dir+0x1130/0x1130 [ 99.129779] ? jbd2_journal_get_write_access+0xaf/0x120 [ 99.129781] ? __ext4_journal_get_write_access+0x41/0x70 [ 99.129782] ? jbd2__journal_start+0x2d6/0x760 [ 99.129784] ext4_rename+0xef9/0x1e00 [ 99.129786] ? avc_has_perm_noaudit+0x1b3/0x380 [ 99.129787] ? ext4_tmpfile+0x3a0/0x3a0 [ 99.129788] ? avc_has_extended_perms+0xe80/0xe80 [ 99.129790] ? selinux_path_notify+0x460/0x460 [ 99.129792] vfs_rename+0x84f/0x1550 [ 99.129794] ? tomoyo_cred_prepare+0xb1/0x160 [ 99.129795] ? vfs_mkdir+0x5a0/0x5a0 [ 99.129796] ? d_alloc+0x56/0x210 [ 99.129797] ? do_renameat2+0x78a/0x970 [ 99.129798] do_renameat2+0x78a/0x970 [ 99.129800] ? user_path_create+0x30/0x30 [ 99.129801] ? lockref_put_return+0xd7/0x190 [ 99.129803] ? blk_pre_runtime_suspend+0x280/0x280 [ 99.129804] ? kmem_cache_alloc+0x177/0x220 [ 99.129805] ? mnt_get_count+0x1e0/0x1e0 [ 99.129806] ? dput+0x5a/0x760 [ 99.129808] ? path_setxattr+0xb9/0x130 [ 99.129809] ? setxattr+0x240/0x240 [ 99.129810] ? __fget_light+0x55/0x1f0 [ 99.129811] ? __fget_light+0x55/0x1f0 [ 99.129813] __x64_sys_rename+0x5a/0x80 [ 99.129814] do_syscall_64+0x9a/0x390 [ 99.129815] ? prepare_exit_to_usermode+0xec/0x1a0 [ 99.129817] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129819] RIP: 0033:0x7f8665863639
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-425.3.1.rt7.213.el8 | 0:4.18.0-425.3.1.rt7.213.el8 |
| redhat/kernel | <0:4.18.0-425.3.1.el8 | 0:4.18.0-425.3.1.el8 |
| redhat/kernel | <0:5.14.0-162.6.1.el9_1 | 0:5.14.0-162.6.1.el9_1 |
| redhat/kernel-rt | <0:5.14.0-162.6.1.rt21.168.el9_1 | 0:5.14.0-162.6.1.rt21.168.el9_1 |
| Linux Kernel | >2.6.12<4.9.138 | |
| Linux Kernel | >4.14<4.14.283 | |
| Linux Kernel | >4.19<4.19.247 | |
| Linux Kernel | >5.4<5.4.198 | |
| Linux Kernel | >5.10<5.10.121 | |
| Linux Kernel | >5.15<5.15.46 | |
| Linux Kernel | >5.17<5.17.14 | |
| Linux Kernel | >5.18<5.18.3 | |
| Linux Kernel | =2.6.12 | |
| Linux Kernel | =2.6.12-rc2 | |
| Linux Kernel | =2.6.12-rc3 | |
| Linux Kernel | =2.6.12-rc4 | |
| Linux Kernel | =2.6.12-rc5 | |
| Linux Kernel | =2.6.12-rc6 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 | |
| Debian Linux | =10.0 | |
| Debian Linux | =11.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =20.04 | |
| Linux Kernel | ||
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.133-1 6.12.22-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-1184 https://nvd.nist.gov/vuln/detail/CVE-2022-1184
- https://bugzilla.redhat.com/show_bug.cgi?id=2070205
- https://access.redhat.com/errata/RHSA-2022:7444
- https://access.redhat.com/errata/RHSA-2022:7683
- https://access.redhat.com/errata/RHSA-2022:8267
- https://access.redhat.com/errata/RHSA-2022:7933
- https://access.redhat.com/security/cve/cve-2022-1184
- https://access.redhat.com/security/cve/CVE-2022-1184
- https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html
- https://ubuntu.com/security/CVE-2022-1184
- https://www.debian.org/security/2022/dsa-5257
- https://launchpad.net/bugs/cve/CVE-2022-1184
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076153
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2070205#c12
- https://access.redhat.com/errata/RHSA-2024:1877
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
- https://nvd.nist.gov/vuln/detail/CVE-2022-1184
- https://security-tracker.debian.org/tracker/CVE-2022-1184
- https://git.kernel.org/linus/65f8ea4cd57dbd46ea13b41dc8bac03176b04233
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-1184?
CVE-2022-1184 is classified as a high severity vulnerability due to its potential to cause segmentation faults in critical system components.
What are the affected versions for CVE-2022-1184?
CVE-2022-1184 affects various versions of the Linux Kernel, specifically those before 4.18.0-425.3.1, among others.
How do I fix CVE-2022-1184?
To fix CVE-2022-1184, upgrade to the patched versions including kernel-rt 0:4.18.0-425.3.1.rt7.213.el8 or kernel 0:4.18.0-425.3.1.el8 for Red Hat systems.
What systems are affected by CVE-2022-1184?
CVE-2022-1184 impacts systems running certain versions of the Linux Kernel, Red Hat Enterprise Linux, and Debian GNU/Linux.
Is CVE-2022-1184 remotely exploitable?
CVE-2022-1184 is not remotely exploitable, but it can lead to local denial-of-service conditions.
- collector/redhat-cve
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/author
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1184
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/trending
- agent/source
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/2.6.12
- version/linux kernel/2.6.12-rc2
- version/linux kernel/2.6.12-rc3
- version/linux kernel/2.6.12-rc4
- version/linux kernel/2.6.12-rc5
- version/linux kernel/2.6.12-rc6
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0
- version/debian linux/11.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/20.04
- package-manager/debian