First published: Wed Mar 30 2022(Updated: )
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() and a BUG() in fs/ext4/ext4.h:2057, It is tested on 4.14 and 5.16, it randomly got segmentation faults in either systemd or other libc functions after the bug is triggered twice or more with below traces. ================================================================== [ 99.129641] BUG: KASAN: use-after-free in dx_insert_block+0xf9/0x1e0 [ 99.129678] Read of size 199528 at addr ffff88825d339028 by task tmp32/1078 [ 99.129729] CPU: 3 PID: 1078 Comm: tmp32 Not tainted 5.4.171 #1 [ 99.129730] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 99.129731] Call Trace: [ 99.129734] dump_stack+0x8b/0xb9 [ 99.129736] ? dx_insert_block+0xf9/0x1e0 [ 99.129739] print_address_description.constprop.4+0x23/0x400 [ 99.129740] ? dx_insert_block+0xf9/0x1e0 [ 99.129742] __kasan_report+0x15c/0x1e0 [ 99.129743] ? dx_insert_block+0xf9/0x1e0 [ 99.129744] kasan_report+0x10/0x20 [ 99.129746] check_memory_region+0x149/0x1a0 [ 99.129747] memmove+0x1f/0x50 [ 99.129748] dx_insert_block+0xf9/0x1e0 [ 99.129750] do_split+0x105b/0x1bf0 [ 99.129754] ? ext4_rename_dir_finish+0x820/0x820 [ 99.129755] ext4_dx_add_entry+0x30b/0x2a20 [ 99.129757] ? _cond_resched+0x15/0x30 [ 99.129759] ? __getblk_gfp+0x35/0x7f0 [ 99.129760] ? add_dirent_to_buf+0x630/0x630 [ 99.129761] ? memset+0x1f/0x40 [ 99.129763] ? fscrypt_setup_filename+0x32/0xce0 [ 99.129765] ? ext4_getblk+0x127/0x3d0 [ 99.129766] ? do_syscall_64+0x9a/0x390 [ 99.129768] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129769] ? ext4_iomap_begin+0xf10/0xf10 [ 99.129771] ? add_transaction_credits+0x13d/0xaf0 [ 99.129772] ? memset+0x1f/0x40 [ 99.129773] ? ext4_fname_setup_filename+0xd1/0x1f0 [ 99.129775] ? memset+0x1f/0x40 [ 99.129776] ext4_add_entry+0x6c7/0xcd0 [ 99.129778] ? make_indexed_dir+0x1130/0x1130 [ 99.129779] ? jbd2_journal_get_write_access+0xaf/0x120 [ 99.129781] ? __ext4_journal_get_write_access+0x41/0x70 [ 99.129782] ? jbd2__journal_start+0x2d6/0x760 [ 99.129784] ext4_rename+0xef9/0x1e00 [ 99.129786] ? avc_has_perm_noaudit+0x1b3/0x380 [ 99.129787] ? ext4_tmpfile+0x3a0/0x3a0 [ 99.129788] ? avc_has_extended_perms+0xe80/0xe80 [ 99.129790] ? selinux_path_notify+0x460/0x460 [ 99.129792] vfs_rename+0x84f/0x1550 [ 99.129794] ? tomoyo_cred_prepare+0xb1/0x160 [ 99.129795] ? vfs_mkdir+0x5a0/0x5a0 [ 99.129796] ? d_alloc+0x56/0x210 [ 99.129797] ? do_renameat2+0x78a/0x970 [ 99.129798] do_renameat2+0x78a/0x970 [ 99.129800] ? user_path_create+0x30/0x30 [ 99.129801] ? lockref_put_return+0xd7/0x190 [ 99.129803] ? blk_pre_runtime_suspend+0x280/0x280 [ 99.129804] ? kmem_cache_alloc+0x177/0x220 [ 99.129805] ? mnt_get_count+0x1e0/0x1e0 [ 99.129806] ? dput+0x5a/0x760 [ 99.129808] ? path_setxattr+0xb9/0x130 [ 99.129809] ? setxattr+0x240/0x240 [ 99.129810] ? __fget_light+0x55/0x1f0 [ 99.129811] ? __fget_light+0x55/0x1f0 [ 99.129813] __x64_sys_rename+0x5a/0x80 [ 99.129814] do_syscall_64+0x9a/0x390 [ 99.129815] ? prepare_exit_to_usermode+0xec/0x1a0 [ 99.129817] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 99.129819] RIP: 0033:0x7f8665863639
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel-rt | <0:4.18.0-425.3.1.rt7.213.el8 | 0:4.18.0-425.3.1.rt7.213.el8 |
redhat/kernel | <0:4.18.0-425.3.1.el8 | 0:4.18.0-425.3.1.el8 |
redhat/kernel | <0:5.14.0-162.6.1.el9_1 | 0:5.14.0-162.6.1.el9_1 |
redhat/kernel-rt | <0:5.14.0-162.6.1.rt21.168.el9_1 | 0:5.14.0-162.6.1.rt21.168.el9_1 |
Linux Kernel | >2.6.12<4.9.138 | |
Linux Kernel | >4.14<4.14.283 | |
Linux Kernel | >4.19<4.19.247 | |
Linux Kernel | >5.4<5.4.198 | |
Linux Kernel | >5.10<5.10.121 | |
Linux Kernel | >5.15<5.15.46 | |
Linux Kernel | >5.17<5.17.14 | |
Linux Kernel | >5.18<5.18.3 | |
Linux Kernel | =2.6.12 | |
Linux Kernel | =2.6.12-rc2 | |
Linux Kernel | =2.6.12-rc3 | |
Linux Kernel | =2.6.12-rc4 | |
Linux Kernel | =2.6.12-rc5 | |
Linux Kernel | =2.6.12-rc6 | |
Red Hat Enterprise Linux | =8.0 | |
Red Hat Enterprise Linux | =9.0 | |
Debian Linux | =10.0 | |
Debian Linux | =11.0 | |
Ubuntu | =14.04 | |
Ubuntu | =16.04 | |
Ubuntu | =18.04 | |
Ubuntu | =20.04 | |
Linux Kernel | ||
debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.20-1 6.12.21-1 |
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-1184 is classified as a high severity vulnerability due to its potential to cause segmentation faults in critical system components.
CVE-2022-1184 affects various versions of the Linux Kernel, specifically those before 4.18.0-425.3.1, among others.
To fix CVE-2022-1184, upgrade to the patched versions including kernel-rt 0:4.18.0-425.3.1.rt7.213.el8 or kernel 0:4.18.0-425.3.1.el8 for Red Hat systems.
CVE-2022-1184 impacts systems running certain versions of the Linux Kernel, Red Hat Enterprise Linux, and Debian GNU/Linux.
CVE-2022-1184 is not remotely exploitable, but it can lead to local denial-of-service conditions.