vulnerability
Ubuntu: (CVE-2022-49834): linux vulnerability
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
7 | (AV:L/AC:M/Au:S/C:C/I:C/A:C) | May 1, 2025 | May 6, 2025 | Jun 12, 2025 |
Description
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free bug of ns_writer on remount
If a nilfs2 filesystem is downgraded to read-only due to metadata
corruption on disk and is remounted read/write, or if emergency read-only
remount is performed, detaching a log writer and synchronizing the
filesystem can be done at the same time.
In these cases, use-after-free of the log writer (hereinafter
nilfs->ns_writer) can happen as shown in the scenario below:
Task1 Task2
-------------------------------- ------------------------------
nilfs_construct_segment
nilfs_segctor_sync
init_wait
init_waitqueue_entry
add_wait_queue
schedule
nilfs_remount (R/W remount case)
nilfs_attach_log_writer
nilfs_detach_log_writer
nilfs_segctor_destroy
kfree
finish_wait
_raw_spin_lock_irqsave
__raw_spin_lock_irqsave
do_raw_spin_lock
debug_spin_lock_before
While Task1 is sleeping, nilfs->ns_writer is freed by Task2. After Task1
waked up, Task1 accesses nilfs->ns_writer which is already freed. This
scenario diagram is based on the Shigeru Yoshida's post [1].
This patch fixes the issue by not detaching nilfs->ns_writer on remount so
that this UAF race doesn't happen. Along with this change, this patch
also inserts a few necessary read-only checks with superblock instance
where only the ns_writer pointer was used to check if the filesystem is
read-only.
Solution(s)
References
- CVE-2022-49834
- https://attackerkb.com/topics/CVE-2022-49834
- URL-https://git.kernel.org/linus/8cccf05fe857a18ee26e20d11a8455a73ffd4efd
- URL-https://git.kernel.org/stable/c/39a3ed68270b079c6b874d4e4727a512b9b4882c
- URL-https://git.kernel.org/stable/c/4feedde5486c07ea79787839153a71ca71329c7d
- URL-https://git.kernel.org/stable/c/8cccf05fe857a18ee26e20d11a8455a73ffd4efd
- URL-https://git.kernel.org/stable/c/9b162e81045266a2d5b44df9dffdf05c54de9cca
- URL-https://git.kernel.org/stable/c/afbd1188382a75f6cfe22c0b68533f7f9664f182
- URL-https://git.kernel.org/stable/c/b152300d5a1ba4258dacf9916bff20e6a8c7603b
- URL-https://git.kernel.org/stable/c/b2fbf10040216ef5ee270773755fc2f5da65b749
- URL-https://git.kernel.org/stable/c/b4736ab5542112fe0a40f140a0a0b072954f34da
- URL-https://www.cve.org/CVERecord?id=CVE-2022-49834

Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.