CVE-2022-48903 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix relocation crash due to premature return from btrfs_commit_transaction()

We are seeing crashes similar to the following trace:

[38.969182] WARNING: CPU: 20 PID: 2105 at fs/btrfs/relocation.c:4070 btrfs_relocate_block_group+0x2dc/0x340 [btrfs]
[38.973556] CPU: 20 PID: 2105 Comm: btrfs Not tainted 5.17.0-rc4 #54
[38.974580] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[38.976539] RIP: 0010:btrfs_relocate_block_group+0x2dc/0x340 [btrfs]
[38.980336] RSP: 0000:ffffb0dd42e03c20 EFLAGS: 00010206
[38.981218] RAX: ffff96cfc4ede800 RBX: ffff96cfc3ce0000 RCX: 000000000002ca14
[38.982560] RDX: 0000000000000000 RSI: 4cfd109a0bcb5d7f RDI: ffff96cfc3ce0360
[38.983619] RBP: ffff96cfc309c000 R08: 0000000000000000 R09: 0000000000000000
[38.984678] R10: ffff96cec0000001 R11: ffffe84c80000000 R12: ffff96cfc4ede800
[38.985735] R13: 0000000000000000 R14: 0000000000000000 R15: ffff96cfc3ce0360
[38.987146] FS: 00007f11c15218c0(0000) GS:ffff96d6dfb00000(0000) knlGS:0000000000000000
[38.988662] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[38.989398] CR2: 00007ffc922c8e60 CR3: 00000001147a6001 CR4: 0000000000370ee0
[38.990279] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[38.991219] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[38.992528] Call Trace:
[38.992854]
[38.993148] btrfs_relocate_chunk+0x27/0xe0 [btrfs]
[38.993941] btrfs_balance+0x78e/0xea0 [btrfs]
[38.994801] ? vsnprintf+0x33c/0x520
[38.995368] ? __kmalloc_track_caller+0x351/0x440
[38.996198] btrfs_ioctl_balance+0x2b9/0x3a0 [btrfs]
[38.997084] btrfs_ioctl+0x11b0/0x2da0 [btrfs]
[38.997867] ? mod_objcg_state+0xee/0x340
[38.998552] ? seq_release+0x24/0x30
[38.999184] ? proc_nr_files+0x30/0x30
[38.999654] ? call_rcu+0xc8/0x2f0
[39.000228] ? __x64_sys_ioctl+0x84/0xc0
[39.000872] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs]
[39.001973] __x64_sys_ioctl+0x84/0xc0
[39.002566] do_syscall_64+0x3a/0x80
[39.003011] entry_SYSCALL_64_after_hwframe+0x44/0xae
[39.003735] RIP: 0033:0x7f11c166959b
[39.007324] RSP: 002b:00007fff2543e998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[39.008521] RAX: ffffffffffffffda RBX: 00007f11c1521698 RCX: 00007f11c166959b
[39.009833] RDX: 00007fff2543ea40 RSI: 00000000c4009420 RDI: 0000000000000003
[39.011270] RBP: 0000000000000003 R08: 0000000000000013 R09: 00007f11c16f94e0
[39.012581] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff25440df3
[39.014046] R13: 0000000000000000 R14: 00007fff2543ea40 R15: 0000000000000001
[39.015040]
[39.015418] ---[ end trace 0000000000000000 ]---
[43.131559] ------------[ cut here ]------------
[43.132234] kernel BUG at fs/btrfs/extent-tree.c:2717!
[43.133031] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[43.133702] CPU: 1 PID: 1839 Comm: btrfs Tainted: G W 5.17.0-rc4 #54
[43.134863] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[43.136426] RIP: 0010:unpin_extent_range+0x37a/0x4f0 [btrfs]
[43.139913] RSP: 0000:ffffb0dd4216bc70 EFLAGS: 00010246
[43.140629] RAX: 0000000000000000 RBX: ffff96cfc34490f8 RCX: 0000000000000001
[43.141604] RDX: 0000000080000001 RSI: 0000000051d00000 RDI: 00000000ffffffff
[43.142645] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff96cfd07dca50
[43.143669] R10: ffff96cfc46e8a00 R11: fffffffffffec000 R12: 0000000041d00000
[43.144657] R13: ffff96cfc3ce0000 R14: ffffb0dd4216bd08 R15: 0000000000000000
[43.145686] FS: 00007f7657dd68c0(0000) GS:ffff96d6df640000(0000) knlGS:0000000000000000
[43.146808] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[43.147584] CR2: 00007f7fe81bf5b0 CR3: 00000001093ee004 CR4: 0000000000370ee0
[43.148589] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[43.149581] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000
---truncated---

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/13/2024

The vulnerability identified as CVE-2022-48903 resides within the btrfs file system implementation in the Linux kernel, specifically affecting the transaction management and block group relocation processes. This flaw manifests as a crash during btrfs balance operations, which are used to reorganize data distribution across storage devices for performance and maintenance purposes. The issue stems from an improper return path in the btrfs_commit_transaction() function, leading to a premature exit that leaves critical data structures in an inconsistent state. The kernel log traces indicate that the crash occurs in the btrfs_relocate_block_group function at line 4070 of the relocation.c file, followed by a subsequent kernel BUG at fs/btrfs/extent-tree.c line 2717 within the unpin_extent_range function. This sequence of events suggests that memory management and extent tracking operations become corrupted when the transaction commit process does not complete properly, resulting in invalid memory access patterns that trigger kernel panics.

The technical root cause of this vulnerability aligns with CWE-248, an unspecified weakness that describes an exception handling issue where an exception is not properly handled, leading to system instability. The flaw impacts the kernel's ability to maintain data integrity during critical file system operations, particularly when dealing with block group relocation and extent management. The improper handling of return values from btrfs_commit_transaction() creates a scenario where subsequent operations attempt to access memory that has already been freed or corrupted, resulting in invalid opcode execution and system crashes. This vulnerability specifically affects systems running Linux kernels with btrfs file system support, particularly those using kernel versions that include the problematic code path. The ATT&CK framework categorizes this as a system service disruption technique, as it causes the kernel to crash and potentially leads to denial of service conditions for file system operations.

The operational impact of CVE-2022-48903 extends beyond simple system crashes to encompass potential data corruption and service unavailability in environments relying on btrfs file systems. When triggered during active balance operations, the vulnerability can cause complete system instability, requiring manual intervention for recovery and potentially leading to data loss if transactions are not properly rolled back. The vulnerability affects systems using btrfs with relocation functionality, including virtualized environments like QEMU systems as indicated by the crash logs, where btrfs balance operations are commonly employed for storage optimization. Organizations running production systems with btrfs file systems should consider this vulnerability particularly critical, as it can lead to unexpected system downtime and potential data integrity issues. The vulnerability is especially concerning in enterprise environments where automated storage management and balance operations are frequently executed, as these operations could trigger the crash without explicit user interaction.

Mitigation strategies for CVE-2022-48903 primarily involve applying the kernel patch that resolves the improper return handling in btrfs_commit_transaction() and ensuring all systems are updated to a patched kernel version. System administrators should prioritize updating their Linux distributions to include the fix for this vulnerability, particularly in environments where btrfs file systems are actively used. Monitoring for signs of the vulnerability manifesting through kernel crash logs or system stability issues can help identify affected systems before full system crashes occur. Additionally, organizations should implement defensive measures such as avoiding btrfs balance operations during critical system periods and maintaining regular backup strategies to ensure data recovery capabilities. The fix addresses the core issue by ensuring proper return value handling in transaction commit operations, preventing premature exits that lead to memory state corruption. System administrators should also consider implementing automated patch management systems to ensure timely deployment of security updates and reduce the window of vulnerability exposure.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00210

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!