CVE-2022-48674

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48674
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48674.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48674
Downstream
Related
Published
2024-05-03T15:15:07Z
Modified
2025-08-09T20:01:26Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix pcluster use-after-free on UP platforms

During stress testing with CONFIG_SMP disabled, KASAN reports as below:

================================================================== BUG: KASAN: use-after-free in _mutexlock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789

CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> .. _mutexlock+0xe5/0xc30 .. zerofsdoreadpage+0x8ce/0x1560 .. zerofsreadahead+0x31c/0x580 .. Freed by task 7787 kasansavestack+0x1e/0x40 kasansettrack+0x20/0x30 kasansetfreeinfo+0x20/0x40 _kasanslabfree+0x10c/0x190 kmemcachefree+0xed/0x380 rcucore+0x3d5/0xc90 _do_softirq+0x12d/0x389

Last potentially related work creation: kasansavestack+0x1e/0x40 _kasanrecordauxstack+0x97/0xb0 callrcu+0x3d/0x3f0 erofsshrinkworkstation+0x11f/0x210 erofsshrinkscan+0xdc/0x170 shrinkslab.constprop.0+0x296/0x530 dropslab+0x1c/0x70 dropcachessysctlhandler+0x70/0x80 procsyscallhandler+0x20a/0x2f0 vfswrite+0x555/0x6c0 ksyswrite+0xbe/0x160 dosyscall_64+0x3b/0x90

The root cause is that erofsworkgroupunfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing.

Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.

References

Affected packages