CVE-2022-1184: Use After Free
First published: Wed Mar 30 2022(Updated: )
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() and a BUG() in fs/ext4/ext4.h:2057, It is tested on 4.14 and 5.16, it randomly got segmentation faults in either systemd or other libc functions after the bug is triggered twice or more with below traces. ================================================================== [ 99.129641] BUG: KASAN: use-after-free in dx_insert_block+0xf9/0x1e0 [ 99.129678] Read of size 199528 at addr ffff88825d339028 by task tmp32/1078 [ 99.129729] CPU: 3 PID: 1078 Comm: tmp32 Not tainted 5.4.171 #1 [ 99.129730] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 99.129731] Call Trace: [ 99.129734] dump_stack+0x8b/0xb9 [ 99.129736] ? dx_insert_block+0xf9/0x1e0 [ 99.129739] print_address_description.constprop.4+0x23/0x400 [ 99.129740] ? dx_insert_block+0xf9/0x1e0 [ 99.129742] __kasan_report+0x15c/0x1e0 [ 99.129743] ? dx_insert_block+0xf9/0x1e0 [ 99.129744] kasan_report+0x10/0x20 [ 99.129746] check_memory_region+0x149/0x1a0 [ 99.129747] memmove+0x1f/0x50 [ 99.129748] dx_insert_block+0xf9/0x1e0 [ 99.129750] do_split+0x105b/0x1bf0 [ 99.129754] ? ext4_rename_dir_finish+0x820/0x820 [ 99.129755] ext4_dx_add_entry+0x30b/0x2a20 [ 99.129757] ? _cond_resched+0x15/0x30 [ 99.129759] ? __getblk_gfp+0x35/0x7f0 [ 99.129760] ? add_dirent_to_buf+0x630/0x630 [ 99.129761] ? memset+0x1f/0x40 [ 99.129763] ? fscrypt_setup_filename+0x32/0xce0 [ 99.129765] ? ext4_getblk+0x127/0x3d0 [ 99.129766] ? do_syscall_64+0x9a/0x390 [ 99.129768] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129769] ? ext4_iomap_begin+0xf10/0xf10 [ 99.129771] ? add_transaction_credits+0x13d/0xaf0 [ 99.129772] ? memset+0x1f/0x40 [ 99.129773] ? ext4_fname_setup_filename+0xd1/0x1f0 [ 99.129775] ? memset+0x1f/0x40 [ 99.129776] ext4_add_entry+0x6c7/0xcd0 [ 99.129778] ? make_indexed_dir+0x1130/0x1130 [ 99.129779] ? jbd2_journal_get_write_access+0xaf/0x120 [ 99.129781] ? __ext4_journal_get_write_access+0x41/0x70 [ 99.129782] ? jbd2__journal_start+0x2d6/0x760 [ 99.129784] ext4_rename+0xef9/0x1e00 [ 99.129786] ? avc_has_perm_noaudit+0x1b3/0x380 [ 99.129787] ? ext4_tmpfile+0x3a0/0x3a0 [ 99.129788] ? avc_has_extended_perms+0xe80/0xe80 [ 99.129790] ? selinux_path_notify+0x460/0x460 [ 99.129792] vfs_rename+0x84f/0x1550 [ 99.129794] ? tomoyo_cred_prepare+0xb1/0x160 [ 99.129795] ? vfs_mkdir+0x5a0/0x5a0 [ 99.129796] ? d_alloc+0x56/0x210 [ 99.129797] ? do_renameat2+0x78a/0x970 [ 99.129798] do_renameat2+0x78a/0x970 [ 99.129800] ? user_path_create+0x30/0x30 [ 99.129801] ? lockref_put_return+0xd7/0x190 [ 99.129803] ? blk_pre_runtime_suspend+0x280/0x280 [ 99.129804] ? kmem_cache_alloc+0x177/0x220 [ 99.129805] ? mnt_get_count+0x1e0/0x1e0 [ 99.129806] ? dput+0x5a/0x760 [ 99.129808] ? path_setxattr+0xb9/0x130 [ 99.129809] ? setxattr+0x240/0x240 [ 99.129810] ? __fget_light+0x55/0x1f0 [ 99.129811] ? __fget_light+0x55/0x1f0 [ 99.129813] __x64_sys_rename+0x5a/0x80 [ 99.129814] do_syscall_64+0x9a/0x390 [ 99.129815] ? prepare_exit_to_usermode+0xec/0x1a0 [ 99.129817] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129819] RIP: 0033:0x7f8665863639
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-425.3.1.rt7.213.el8 | 0:4.18.0-425.3.1.rt7.213.el8 |
| redhat/kernel | <0:4.18.0-425.3.1.el8 | 0:4.18.0-425.3.1.el8 |
| redhat/kernel | <0:5.14.0-162.6.1.el9_1 | 0:5.14.0-162.6.1.el9_1 |
| redhat/kernel-rt | <0:5.14.0-162.6.1.rt21.168.el9_1 | 0:5.14.0-162.6.1.rt21.168.el9_1 |
| Linux Linux kernel | ||
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Linux Linux kernel | >2.6.12<4.9.138 | |
| Linux Linux kernel | >4.14<4.14.283 | |
| Linux Linux kernel | >4.19<4.19.247 | |
| Linux Linux kernel | >5.4<5.4.198 | |
| Linux Linux kernel | >5.10<5.10.121 | |
| Linux Linux kernel | >5.15<5.15.46 | |
| Linux Linux kernel | >5.17<5.17.14 | |
| Linux Linux kernel | >5.18<5.18.3 | |
| Linux Linux kernel | =2.6.12 | |
| Linux Linux kernel | =2.6.12-rc2 | |
| Linux Linux kernel | =2.6.12-rc3 | |
| Linux Linux kernel | =2.6.12-rc4 | |
| Linux Linux kernel | =2.6.12-rc5 | |
| Linux Linux kernel | =2.6.12-rc6 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.5-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-1184 https://nvd.nist.gov/vuln/detail/CVE-2022-1184
- https://bugzilla.redhat.com/show_bug.cgi?id=2070205
- https://access.redhat.com/errata/RHSA-2022:7444
- https://access.redhat.com/errata/RHSA-2022:7683
- https://access.redhat.com/errata/RHSA-2022:8267
- https://access.redhat.com/errata/RHSA-2022:7933
- https://access.redhat.com/security/cve/cve-2022-1184
- https://access.redhat.com/security/cve/CVE-2022-1184
- https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html
- https://ubuntu.com/security/CVE-2022-1184
- https://www.debian.org/security/2022/dsa-5257
- https://launchpad.net/bugs/cve/CVE-2022-1184
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2076153
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2070205#c12
- https://access.redhat.com/errata/RHSA-2024:1877
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184
- https://nvd.nist.gov/vuln/detail/CVE-2022-1184
- https://security-tracker.debian.org/tracker/CVE-2022-1184
- https://git.kernel.org/linus/65f8ea4cd57dbd46ea13b41dc8bac03176b04233
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/author
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1184
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/security-tracker-debian
- source/Debian
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- agent/trending
- package-manager/redhat
- vendor/linux
- canonical/linux linux kernel
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- version/linux linux kernel/2.6.12
- version/linux linux kernel/2.6.12-rc2
- version/linux linux kernel/2.6.12-rc3
- version/linux linux kernel/2.6.12-rc4
- version/linux linux kernel/2.6.12-rc5
- version/linux linux kernel/2.6.12-rc6
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- package-manager/debian