CVE-2022-48833

{"id": "CVE-2022-48833", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-16T13:15:10.897", "references": [{"url": "https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/40cdc509877bacb438213b83c7541c5e24a1d9ec", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/44557a8f539a822c91238c1f95a95f98a5093d82", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: skip reserved bytes warning on unmount after log cleanup failure\n\nAfter the recent changes made by commit c2e39305299f01 (\"btrfs: clear\nextent buffer uptodate when we fail to write it\") and its followup fix,\ncommit 651740a5024117 (\"btrfs: check WRITE_ERR when trying to read an\nextent buffer\"), we can now end up not cleaning up space reservations of\nlog tree extent buffers after a transaction abort happens, as well as not\ncleaning up still dirty extent buffers.\n\nThis happens because if writeback for a log tree extent buffer failed,\nthen we have cleared the bit EXTENT_BUFFER_UPTODATE from the extent buffer\nand we have also set the bit EXTENT_BUFFER_WRITE_ERR on it. Later on,\nwhen trying to free the log tree with free_log_tree(), which iterates\nover the tree, we can end up getting an -EIO error when trying to read\na node or a leaf, since read_extent_buffer_pages() returns -EIO if an\nextent buffer does not have EXTENT_BUFFER_UPTODATE set and has the\nEXTENT_BUFFER_WRITE_ERR bit set. Getting that -EIO means that we return\nimmediately as we can not iterate over the entire tree.\n\nIn that case we never update the reserved space for an extent buffer in\nthe respective block group and space_info object.\n\nWhen this happens we get the following traces when unmounting the fs:\n\n[174957.284509] BTRFS: error (device dm-0) in cleanup_transaction:1913: errno=-5 IO failure\n[174957.286497] BTRFS: error (device dm-0) in free_log_tree:3420: errno=-5 IO failure\n[174957.399379] ------------[ cut here ]------------\n[174957.402497] WARNING: CPU: 2 PID: 3206883 at fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.407523] Modules linked in: btrfs overlay dm_zero (...)\n[174957.424917] CPU: 2 PID: 3206883 Comm: umount Tainted: G W 5.16.0-rc5-btrfs-next-109 #1\n[174957.426689] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs]\n[174957.429717] Code: 21 48 8b bd (...)\n[174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206\n[174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8\n[174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000\n[174957.436068] RBP: ffff8b0758edd000 R08: 0000000000000000 R09: 0000000000000000\n[174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: ffff8b09c3848148\n[174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15: dead000000000100\n[174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000\n[174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0\n[174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[174957.443076] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[174957.443948] Call Trace:\n[174957.444264] <TASK>\n[174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs]\n[174957.445238] close_ctree+0x301/0x357 [btrfs]\n[174957.445803] ? call_rcu+0x16c/0x290\n[174957.446250] generic_shutdown_super+0x74/0x120\n[174957.446832] kill_anon_super+0x14/0x30\n[174957.447305] btrfs_kill_super+0x12/0x20 [btrfs]\n[174957.447890] deactivate_locked_super+0x31/0xa0\n[174957.448440] cleanup_mnt+0x147/0x1c0\n[174957.448888] task_work_run+0x5c/0xa0\n[174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0\n[174957.449934] syscall_exit_to_user_mode+0x16/0x40\n[174957.450512] do_syscall_64+0x48/0xc0\n[174957.450980] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[174957.451605] RIP: 0033:0x7f328fdc4a97\n[174957.452059] Code: 03 0c 00 f7 (...)\n[174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6\n[174957.455262] RAX: 0000000000000000 RBX: 00007f328feea264 RCX: 00007f328fdc4a97\n[174957.456131] RDX: 0000000000000000 RSI: 00000000000000\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: omite la advertencia de bytes reservados al desmontar despu\u00e9s de un error en la limpieza del registro Despu\u00e9s de los cambios recientes realizados por El commit c2e39305299f01 (\"btrfs: borra la actualizaci\u00f3n del b\u00fafer de extensi\u00f3n cuando no podemos escribirlo\") y su correcci\u00f3n de seguimiento, commit 651740a5024117 (\"btrfs: verifique WRITE_ERR al intentar leer un b\u00fafer de extensi\u00f3n\"), ahora podemos terminar sin limpiar las reservas de espacio de los b\u00faferes de extensi\u00f3n del \u00e1rbol de registro despu\u00e9s de que se produzca una cancelaci\u00f3n de transacci\u00f3n, adem\u00e1s de no limpiar los b\u00faferes de extensi\u00f3n a\u00fan sucios. Esto sucede porque si falla la reescritura para un b\u00fafer de extensi\u00f3n de \u00e1rbol de registro, entonces hemos borrado el bit EXTENT_BUFFER_UPTODATE del b\u00fafer de extensi\u00f3n y tambi\u00e9n hemos configurado el bit EXTENT_BUFFER_WRITE_ERR en \u00e9l. M\u00e1s adelante, al intentar liberar el \u00e1rbol de registro con free_log_tree(), que itera sobre el \u00e1rbol, podemos terminar obteniendo un error -EIO al intentar leer un nodo o una hoja, ya que read_extent_buffer_pages() devuelve -EIO si es una extensi\u00f3n. El b\u00fafer no tiene EXTENT_BUFFER_UPTODATE establecido y tiene el bit EXTENT_BUFFER_WRITE_ERR establecido. Obtener eso -EIO significa que regresamos inmediatamente ya que no podemos iterar sobre todo el \u00e1rbol. En ese caso, nunca actualizamos el espacio reservado para un b\u00fafer de extensi\u00f3n en el grupo de bloques respectivo y el objeto space_info. Cuando esto sucede, obtenemos los siguientes rastros al desmontar el fs: [174957.284509] BTRFS: error (dispositivo dm-0) en cleanup_transaction:1913: errno=-5 IO Failure [174957.286497] BTRFS: error (dispositivo dm-0) en free_log_tree :3420: errno=-5 Fallo de E/S [174957.399379] ------------[ cortar aqu\u00ed ]------------ [174957.402497] ADVERTENCIA: CPU: 2 PID: 3206883 en fs/btrfs/block-group.c:127 btrfs_put_block_group+0x77/0xb0 [btrfs] [174957.407523] M\u00f3dulos vinculados en: btrfs overlay dm_zero (...) [174957.424917] CPU: 2 PID: 3206883 Comm: umount Tain Ted: GW 5.16.0-rc5-btrfs-next-109 #1 [174957.426689] Nombre del hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01 /2014 [174957.428716] RIP: 0010:btrfs_put_block_group+0x77/0xb0 [btrfs] [174957.429717] C\u00f3digo: 21 48 8b bd (...) [174957.432867] RSP: 0018:ffffb70d41cffdd0 EFLAGS: 00010206 [174957.433632] RAX: 0000000000000001 RBX: ffff8b09c3848000 RCX: ffff8b0758edd1c8 [174957.434689] RDX: 0000000000000001 RSI: ffffffffc0b467e7 RDI: ffff8b0758edd000 [174957.436068] RBP: b0758edd000 R08: 0000000000000000 R09: 0000000000000000 [174957.437114] R10: 0000000000000246 R11: 0000000000000000 R12: 8148 [174957.438140] R13: ffff8b09c3848198 R14: ffff8b0758edd188 R15 : muerto000000000100 [174957.439317] FS: 00007f328fb82800(0000) GS:ffff8b0a2d200000(0000) knlGS:0000000000000000 [174957.440402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [174957.441164] CR2: 00007fff13563e98 CR3: 0000000404f4e005 CR4: 0000000000370ee0 [174957.442117] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [174957.443076] DR3: 0000000000000000 DR6: 00000000ffe0ff0 DR7: 000000400 [174957.443948] Seguimiento de llamadas: [174957.444264] [174957.444538] btrfs_free_block_groups+0x255/0x3c0 [btrfs] [174957.445238] close_ctree+0x301 /0x357 [btrfs] [174957.445803] ? call_rcu+0x16c/0x290 [174957.446250] generic_shutdown_super+0x74/0x120 [174957.446832] kill_anon_super+0x14/0x30 [174957.447305] btrfs_kill_super+0x12/0x20 [btrfs] 957.447890] desactivar_locked_super+0x31/0xa0 [174957.448440] cleanup_mnt+0x147/0x1c0 [174957.448888 ] task_work_run+0x5c/0xa0 [174957.449336] exit_to_user_mode_prepare+0x1e5/0x1f0 [174957.449934] syscall_exit_to_user_mode+0x16/0x40 [174957.450512] do_syscall_64+0x48/0 xc0 [174957.450980] Entry_SYSCALL_64_after_hwframe+0x44/0xae [174957.451605] RIP: 0033:0x7f328fdc4a97 [174957.452059] C\u00f3digo : 03 0c 00 f7 (...) [174957.454320] RSP: 002b:00007fff13564ec8 EFLAGS: 00000246 ---truncado- --"}], "lastModified": "2025-10-07T20:05:36.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86894268-9F63-47BD-A035-219EBC359D4E", "versionEndExcluding": "5.5", "versionStartIncluding": "5.4.165"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7949CC3-02E7-4099-99C3-D26CB1690CB5", "versionEndExcluding": "5.11", "versionStartIncluding": "5.10.85"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75E008C1-B8C6-47F5-8236-7FEB08CDACFC", "versionEndExcluding": "5.15.31", "versionStartIncluding": "5.15.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B12F6486-1EC3-413C-8B97-0ABF9C8E75BE", "versionEndExcluding": "5.16", "versionStartIncluding": "5.15.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4CB0C57-AB12-4F2D-B23A-82CA187DBF43", "versionEndExcluding": "5.16.17", "versionStartIncluding": "5.16.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F2E68EC-97DD-461D-9019-1D9AD0AB2739", "versionEndExcluding": "5.17", "versionStartIncluding": "5.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF588A58-013F-4DBF-A3AB-70EC054B1892"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A0915FE-A4AA-4C94-B783-CF29D81E7E54"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4EAC2750-F7C6-4A4E-9C04-1E450722B853"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED611C74-E83A-4AFA-8688-9B829C02B038"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}