CVE-2022-49761

CVE-2022-49761 is a Use-After-Free vulnerability (CWE-416) in the Linux kernel's BTRFS filesystem, specifically within the run_one_delayed_ref() function responsible for handling delayed references. The issue stems from inadequate error reporting, where failures were previously logged only via btrfs_debug(), which is typically disabled for end users, providing insufficient debugging information. This affects BTRFS operations involving delayed references during transaction commits, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability by triggering a failure in run_one_delayed_ref(), such as through crafted BTRFS operations that cause delayed reference processing to fail. Successful exploitation could allow the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to kernel memory corruption, privilege escalation, or system denial of service, as the error propagates up the call chain from btrfs_run_delayed_refs_for_head() and aborts the transaction.

Mitigation involves applying the relevant stable kernel patches, available via the following commit references: https://git.kernel.org/stable/c/18bd1c9c02e64a3567f90c83c2c8b855531c8098, https://git.kernel.org/stable/c/39f501d68ec1ed5cd5c66ac6ec2a7131c517bb92, https://git.kernel.org/stable/c/853ffa1511b058c79a4c9bb1407b3b20ce311792, and https://git.kernel.org/stable/c/fdb4a70bb768d2a87890409597529ad81cb3de8a. These patches enhance error reporting by replacing btrfs_debug() with btrfs_err(), adding details like logical bytenr, num_bytes, type, action, and ref_mod, and relocating error handling to prevent use-after-free on the node structure, which is freed by callers. The error triggers at most once per transaction abort.