CVE-2022-48923 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

btrfs: prevent copying too big compressed lzo segment

Compressed length can be corrupted to be a lot larger than memory we have allocated for buffer. This will cause memcpy in copy_compressed_segment to write outside of allocated memory.

This mostly results in stuck read syscall but sometimes when using btrfs send can get #GP

kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI
kernel: CPU: 17 PID: 264 Comm: kworker/u256:7 Tainted: P OE 5.17.0-rc2-1 #12 kernel: Workqueue: btrfs-endio btrfs_work_helper [btrfs]
kernel: RIP: 0010:lzo_decompress_bio (./include/linux/fortify-string.h:225 fs/btrfs/lzo.c:322 fs/btrfs/lzo.c:394) btrfs Code starting with the faulting instruction =========================================== 0:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction 3: 48 8d 79 08 lea 0x8(%rcx),%rdi 7: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi b: 48 89 01 mov %rax,(%rcx) e: 44 89 f0 mov %r14d,%eax 11: 48 8b 54 06 f8 mov -0x8(%rsi,%rax,1),%rdx kernel: RSP: 0018:ffffb110812efd50 EFLAGS: 00010212 kernel: RAX: 0000000000001000 RBX: 000000009ca264c8 RCX: ffff98996e6d8ff8 kernel: RDX: 0000000000000064 RSI: 000841551d5c1000 RDI: ffffffff9500435d kernel: RBP: ffff989a3be856c0 R08: 0000000000000000 R09: 0000000000000000 kernel: R10: 0000000000000000 R11: 0000000000001000 R12: ffff98996e6d8000 kernel: R13: 0000000000000008 R14: 0000000000001000 R15: 000841551d5c1000 kernel: FS: 0000000000000000(0000) GS:ffff98a09d640000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00001e9f984d9ea8 CR3: 000000014971a000 CR4: 00000000003506e0 kernel: Call Trace: kernel: kernel: end_compressed_bio_read (fs/btrfs/compression.c:104 fs/btrfs/compression.c:1363 fs/btrfs/compression.c:323) btrfs kernel: end_workqueue_fn (fs/btrfs/disk-io.c:1923) btrfs kernel: btrfs_work_helper (fs/btrfs/async-thread.c:326) btrfs kernel: process_one_work (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:212 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2312) kernel: worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2455) kernel: ? process_one_work (kernel/workqueue.c:2397) kernel: kthread (kernel/kthread.c:377) kernel: ? kthread_complete_and_exit (kernel/kthread.c:332) kernel: ret_from_fork (arch/x86/entry/entry_64.S:301) kernel:

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/11/2024

The vulnerability described in CVE-2022-48923 represents a critical memory corruption flaw within the Linux kernel's btrfs file system implementation, specifically affecting the LZO compression handling mechanism. This issue stems from inadequate validation of compressed data lengths during decompression operations, creating a scenario where maliciously crafted compressed data can cause buffer overflows that lead to arbitrary code execution or system instability. The vulnerability manifests when the kernel attempts to copy compressed segments using the copy_compressed_segment function, which lacks proper bounds checking against the compressed data length field. This flaw directly maps to CWE-129 Input Validation and CWE-787 Out-of-bounds Write, both of which are fundamental security weaknesses that can be exploited to gain unauthorized access or cause denial of service conditions.

The technical exploitation of this vulnerability occurs during read operations on btrfs file systems that utilize LZO compression, particularly when processing compressed data streams. When the kernel encounters corrupted compressed data where the reported compressed length exceeds the allocated buffer size, the memcpy operation in copy_compressed_segment function attempts to write beyond the bounds of the allocated memory region. This memory corruption typically results in a stuck read system call, where the process becomes unresponsive due to the kernel's inability to properly handle the corrupted data. However, in more severe cases involving btrfs send operations, the vulnerability can trigger a general protection fault (GPF) leading to a kernel panic, as evidenced by the kernel crash dump showing a RIP instruction pointer at lzo_decompress_bio function with a non-canonical address reference. The fault occurs in the context of a workqueue execution thread, specifically within the btrfs_endio work helper function, indicating that the vulnerability affects the asynchronous I/O processing path of the btrfs file system.

The operational impact of this vulnerability extends beyond simple system instability, as it can be leveraged by attackers to execute arbitrary code with kernel privileges or cause persistent denial of service conditions. The vulnerability affects systems running Linux kernel versions prior to the fix, particularly those utilizing btrfs file systems with LZO compression enabled, which is common in enterprise storage solutions and containerized environments. The memory corruption patterns suggest that attackers could potentially craft specific compressed data streams to trigger the vulnerability and potentially escalate privileges, though the exact attack vectors would depend on the specific execution context and memory layout of affected systems. This vulnerability aligns with ATT&CK technique T1068, which covers the exploitation of privilege escalation vulnerabilities, and represents a significant risk to systems that rely on btrfs file systems for storage operations.

Mitigation strategies for CVE-2022-48923 primarily involve upgrading to kernel versions that contain the appropriate patches, specifically kernel versions 5.18 and later where the vulnerability has been addressed through enhanced bounds checking in the compressed data handling routines. System administrators should also consider implementing additional security measures such as disabling LZO compression on btrfs file systems where it is not strictly necessary, monitoring for unusual read operations that might indicate exploitation attempts, and ensuring proper kernel hardening configurations are in place. The patch for this vulnerability specifically addresses the validation of compressed data lengths before memory operations are performed, preventing the overflow condition that leads to the memory corruption. Organizations should prioritize patching affected systems and consider implementing intrusion detection systems that can identify suspicious patterns in btrfs I/O operations that might indicate exploitation attempts. Additionally, regular security audits of storage configurations should be conducted to ensure that compression algorithms are properly configured and that appropriate access controls are in place to limit potential attack surfaces.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00210

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!