CVE-2022-48733 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free after failure to create a snapshot

At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and then attach it to the transaction's list of pending snapshots. After that we call btrfs_commit_transaction(), and if that returns an error we jump to 'fail' label, where we kfree() the pending snapshot structure. This can result in a later use-after-free of the pending snapshot:

1) We allocated the pending snapshot and added it to the transaction's list of pending snapshots;

2) We call btrfs_commit_transaction(), and it fails either at the first call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups(). In both cases, we don't abort the transaction and we release our transaction handle. We jump to the 'fail' label and free the pending snapshot structure. We return with the pending snapshot still in the transaction's list;

3) Another task commits the transaction. This time there's no error at all, and then during the transaction commit it accesses a pointer to the pending snapshot structure that the snapshot creation task has already freed, resulting in a user-after-free.

This issue could actually be detected by smatch, which produced the following warning:

fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list

So fix this by not having the snapshot creation ioctl directly add the pending snapshot to the transaction's list. Instead add the pending snapshot to the transaction handle, and then at btrfs_commit_transaction() we add the snapshot to the list only when we can guarantee that any error returned after that point will result in a transaction abort, in which case the ioctl code can safely free the pending snapshot and no one can access it anymore.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 10/06/2024

The vulnerability described in CVE-2022-48733 represents a critical use-after-free condition within the Linux kernel's btrfs filesystem implementation that stems from improper handling of snapshot creation operations. This flaw exists in the ioctl.c file where the create_snapshot() function manages the allocation and lifecycle of pending snapshot structures during transaction processing. The issue manifests when a snapshot creation operation fails during transaction commit, leaving a freed memory structure still referenced in the transaction's pending snapshot list, creating a scenario where subsequent transaction commits can access deallocated memory.

The technical flaw occurs due to a race condition in the transaction management flow where the pending snapshot structure is added to the transaction's list before the transaction commit process begins, but the cleanup logic executes prematurely when commit failures occur. Specifically, during the btrfs_commit_transaction() call, if the function encounters errors during either btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups() operations, the code path jumps to the 'fail' label and immediately frees the pending snapshot structure through kfree() while simultaneously leaving the structure reference in the transaction's pending list. This creates a scenario where the freed memory can be accessed by subsequent transaction commits, leading to potential system instability or privilege escalation.

The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a classic use-after-free pattern that can be exploited by malicious actors to achieve arbitrary code execution or system compromise. The vulnerability is particularly concerning in environments where btrfs filesystems are actively used for snapshot operations, as the timing of the race condition can be manipulated to trigger the use-after-free condition. According to CWE classification, this represents a CWE-416: Use After Free vulnerability, which is categorized under the broader category of memory safety issues in software development. The ATT&CK framework would classify this as a memory corruption technique that could potentially lead to privilege escalation through kernel exploitation.

The fix implemented addresses the root cause by modifying the transaction management approach to ensure proper synchronization between snapshot structure allocation and transaction commit phases. Instead of directly adding the pending snapshot to the transaction's list during the ioctl operation, the solution introduces an intermediate step where the snapshot is added to the transaction handle itself. This allows the btrfs_commit_transaction() function to perform the final addition to the transaction's pending list only when it can guarantee that any subsequent errors will result in transaction abort, ensuring that the ioctl code can safely free the pending snapshot structure without risk of subsequent access. This approach prevents the race condition by ensuring that snapshot cleanup occurs only when the transaction is guaranteed to be fully aborted, eliminating the possibility of accessing freed memory structures during subsequent transaction commits. The fix was identified through static analysis tools like smatch, which provided early warning detection of the problematic list management pattern that led to this vulnerability.

Disclosure

06/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00230

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!