CVE-2022-49168
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not clean up repair bio if submit fails The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given.
Security Summary
CVE-2022-49168 is a use-after-free (CWE-416) vulnerability in the Linux kernel's BTRFS filesystem implementation. It arises during repair bio handling when a bio submission fails: the submit helper invokes bio_endio() on the failed bio, but subsequent cleanup in the repair function races with this endio callback, leading to use-after-free errors and NULL pointer dereferences. The issue affects Linux kernel versions prior to the application of the relevant stable patches.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, which has a CVSS v3.1 base score of 7.8 (High). Exploitation requires only local access and low complexity, enabling high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or system crashes within the context of the BTRFS repair operations.
Mitigation involves applying upstream kernel patches from the provided stable commit references, such as https://git.kernel.org/stable/c/7170875083254b51fcc5d67f96640977083f481e and others. These patches modify the BTRFS repair logic to avoid manual bio cleanup on submission failure, instead returning BLK_STS_OK to allow the bio_endio() callback to handle page cleanup appropriately, thereby preventing the race condition. Security practitioners should update affected Linux distributions incorporating these fixes.
Details
- CWE(s)