Linux Kernel up to 5.10.120/5.15.45/5.17.13/5.18.2 bcache bch_journal_meta initialization

Summaryinfo

A vulnerability was found in Linux Kernel up to 5.10.120/5.15.45/5.17.13/5.18.2. It has been classified as problematic. Affected by this issue is the function bch_journal_meta of the component bcache. Performing a manipulation results in initialization. This vulnerability is reported as CVE-2022-49327. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as problematic has been found in Linux Kernel up to 5.10.120/5.15.45/5.17.13/5.18.2. This affects the function bch_journal_meta of the component bcache. The manipulation with an unknown input leads to a initialization vulnerability. CWE is classifying the issue as CWE-665. The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This is going to have an impact on availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: bcache: avoid journal no-space deadlock by reserving 1 journal bucket The journal no-space deadlock was reported time to time. Such deadlock can happen in the following situation. When all journal buckets are fully filled by active jset with heavy write I/O load, the cache set registration (after a reboot) will load all active jsets and inserting them into the btree again (which is called journal replay). If a journaled bkey is inserted into a btree node and results btree node split, new journal request might be triggered. For example, the btree grows one more level after the node split, then the root node record in cache device super block will be upgrade by bch_journal_meta() from bch_btree_set_root(). But there is no space in journal buckets, the journal replay has to wait for new journal bucket to be reclaimed after at least one journal bucket replayed. This is one example that how the journal no-space deadlock happens. The solution to avoid the deadlock is to reserve 1 journal bucket in run time, and only permit the reserved journal bucket to be used during cache set registration procedure for things like journal replay. Then the journal space will never be fully filled, there is no chance for journal no-space deadlock to happen anymore. This patch adds a new member "bool do_reserve" in struct journal, it is inititalized to 0 (false) when struct journal is allocated, and set to 1 (true) by bch_journal_space_reserve() when all initialization done in run_cache_set(). In the run time when journal_reclaim() tries to allocate a new journal bucket, free_journal_buckets() is called to check whether there are enough free journal buckets to use. If there is only 1 free journal bucket and journal->do_reserve is 1 (true), the last bucket is reserved and free_journal_buckets() will return 0 to indicate no free journal bucket. Then journal_reclaim() will give up, and try next time to see whetheer there is free journal bucket to allocate. By this method, there is always 1 jouranl bucket reserved in run time. During the cache set registration, journal->do_reserve is 0 (false), so the reserved journal bucket can be used to avoid the no-space deadlock.

It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2022-49327 since 02/26/2025. The exploitability is told to be difficult. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 5.10.121, 5.15.46, 5.17.14 or 5.18.3 eliminates this vulnerability. Applying the patch 59afd4f287900c8187e968a4153ed35e6b48efce/5607652823ac65e2c6885e73bd46d5a4f9a20363/6332ea3e35efa12dc08f0cbf5faea5e6e8eb0497/1dda32aed6f62c163f38ff947ef5b3360e329159/32feee36c30ea06e38ccb8ae6e5c44c6eec790a6 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 5.10.120
• 5.15.0
• 5.15.1
• 5.15.2
• 5.15.3
• 5.15.4
• 5.15.5
• 5.15.6
• 5.15.7
• 5.15.8
• 5.15.9
• 5.15.10
• 5.15.11
• 5.15.12
• 5.15.13
• 5.15.14
• 5.15.15
• 5.15.16
• 5.15.17
• 5.15.18
• 5.15.19
• 5.15.20
• 5.15.21
• 5.15.22
• 5.15.23
• 5.15.24
• 5.15.25
• 5.15.26
• 5.15.27
• 5.15.28
• 5.15.29
• 5.15.30
• 5.15.31
• 5.15.32
• 5.15.33
• 5.15.34
• 5.15.35
• 5.15.36
• 5.15.37
• 5.15.38
• 5.15.39
• 5.15.40
• 5.15.41
• 5.15.42
• 5.15.43
• 5.15.44
• 5.15.45
• 5.17.0
• 5.17.1
• 5.17.2
• 5.17.3
• 5.17.4
• 5.17.5
• 5.17.6
• 5.17.7
• 5.17.8
• 5.17.9
• 5.17.10
• 5.17.11
• 5.17.12
• 5.17.13
• 5.18.0
• 5.18.1
• 5.18.2

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion