CVE-2022-49337

{"id": "CVE-2022-49337", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:10.457", "references": [{"url": "https://git.kernel.org/stable/c/02480e2e82ae0e5588374bbbcf4fa6e4959fa174", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1434cd71ad9f3a6beda3036972983b6c4869207c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2c5e26a626fe46675bceba853e12aaf13c712e10", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/337e36550788dbe03254f0593a231c1c4873b20d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/733a35c00ef363a1c774d7ea486e0735b7c13a15", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/82bf8e7271fade40184177cb406203addc34c4a0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/863e0d81b6683c4cbc588ad831f560c90e494bef", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9c96238fac045b289993d7bc5aae7b2d72b25c76", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/efb54ec548829e1d3605f0434526f86e345b1b28", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: dlmfs: fix error handling of user_dlm_destroy_lock\n\nWhen user_dlm_destroy_lock failed, it didn't clean up the flags it set\nbefore exit. For USER_LOCK_IN_TEARDOWN, if this function fails because of\nlock is still in used, next time when unlink invokes this function, it\nwill return succeed, and then unlink will remove inode and dentry if lock\nis not in used(file closed), but the dlm lock is still linked in dlm lock\nresource, then when bast come in, it will trigger a panic due to\nuser-after-free. See the following panic call trace. To fix this,\nUSER_LOCK_IN_TEARDOWN should be reverted if fail. And also error should\nbe returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink\nfail.\n\nFor the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,\nUSER_LOCK_BUSY is also required to be cleared. Even though spin lock is\nreleased in between, but USER_LOCK_IN_TEARDOWN is still set, for\nUSER_LOCK_BUSY, if before every place that waits on this flag,\nUSER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow\nwaits on the busy flag set by user_dlm_destroy_lock(), then we can\nsimplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails. Fix\nuser_dlm_cluster_lock() which is the only function not following this.\n\n[ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink\n004fb0000060000b5a90b8c847b72e1, error -16 from destroy\n[ 989.757536] ------------[ cut here ]------------\n[ 989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!\n[ 989.757876] invalid opcode: 0000 [#1] SMP\n[ 989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)\nksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc\nxen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5\nauth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs\nocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc\nfcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc\nrds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad\nrdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)\nmlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad\nib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support\npcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si\nipmi_msghandler\n[ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp\npps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel\nbe2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio\nlibiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi\ndm_mirror dm_region_hash dm_log dm_mod [last unloaded:\nksplice_2zhuk2jr_ib_ipoib_old]\n[ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P OE\n4.1.12-124.57.1.el6uek.x86_64 #2\n[ 989.762290] Hardware name: Oracle Corporation ORACLE SERVER\nX5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021\n[ 989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:\nffff88017f7c8000\n[ 989.762848] RIP: e030:[<ffffffffc07d4316>] [<ffffffffc07d4316>]\n__user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]\n[ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246\n[ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:\n0000000000000003\n[ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:\nffff880174d48170\n[ 989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:\n0000000000000000\n[ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:\nffff880174d48008\n[ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:\nffff88021db7a000\n[ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000)\nknlGS:ffff880247480000\n[ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:\n0000000000042660\n[ 989.765081] Stack:\n[ 989.765167] 00000000000\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ocfs2: dlmfs: se corrige la gesti\u00f3n de errores de user_dlm_destroy_lock Cuando user_dlm_destroy_lock fallaba, no limpiaba las banderas que establec\u00eda antes de salir. Para USER_LOCK_IN_TEARDOWN, si esta funci\u00f3n falla debido a que el bloqueo a\u00fan est\u00e1 en uso, la pr\u00f3xima vez que unlink invoque esta funci\u00f3n, devolver\u00e1 \u00e9xito y luego unlink eliminar\u00e1 el inodo y la dentry si el bloqueo no est\u00e1 en uso (archivo cerrado), pero el bloqueo dlm a\u00fan est\u00e1 vinculado en el recurso de bloqueo dlm, luego cuando bast ingrese, activar\u00e1 un p\u00e1nico debido a use after free. Vea el siguiente seguimiento de llamada de p\u00e1nico. Para solucionar esto, USER_LOCK_IN_TEARDOWN debe revertirse si falla. Y tambi\u00e9n debe devolverse un error si USER_LOCK_IN_TEARDOWN est\u00e1 configurado para informar al usuario que unlink fall\u00f3. En el caso de que falle ocfs2_dlm_unlock, adem\u00e1s de USER_LOCK_IN_TEARDOWN, tambi\u00e9n se requiere borrar USER_LOCK_BUSY. Aunque se libere el bloqueo de giro en el medio, pero USER_LOCK_IN_TEARDOWN a\u00fan est\u00e9 configurado, para USER_LOCK_BUSY, si antes de cada lugar que espera en este indicador, se marca USER_LOCK_IN_TEARDOWN para que se libere, eso asegurar\u00e1 que ning\u00fan flujo espere en el indicador de ocupado establecido por user_dlm_destroy_lock(), entonces podemos simplemente revertir USER_LOCK_BUSY cuando falla ocfs2_dlm_unlock. Corrija user_dlm_cluster_lock(), que es la \u00fanica funci\u00f3n que no sigue esto. [ 941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: desvincular 004fb0000060000b5a90b8c847b72e1, error -16 de la destrucci\u00f3n [ 989.757536] ------------[ cortar aqu\u00ed ]------------ [ 989.757709] \u00a1ERROR del kernel en fs/ocfs2/dlmfs/userdlm.c:173! [ 989.757876] c\u00f3digo de operaci\u00f3n no v\u00e1lido: 0000 [#1] SMP [ 989.758027] M\u00f3dulos vinculados en: ksplice_2zhuk2jr_ib_ipoib_new(O) ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5 auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf puente stp llc rds_rdma enlace rds ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE) mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt soporte de proveedor de iTCO pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si ipmi_msghandler [ 989.760686] ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi dm_mirror dm_region_hash dm_log dm_mod [\u00faltima descarga: ksplice_2zhuk2jr_ib_ipoib_old] [ 989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Contaminado: P OE 4.1.12-124.57.1.el6uek.x86_64 #2 [ 989.762290] Nombre del hardware: Oracle Corporation ORACLE SERVER X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 17/06/2021 [ 989.762599] tarea: ffff880178af6200 ti: ffff88017f7c8000 task.ti: ffff88017f7c8000 [ 989.762848] RIP: e030:[] [] __user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs] [ 989.763185] RSP: e02b:ffff88017f7cbcb8 EFLAGS: 00010246 [ 989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX: 0000000000000003 [ 989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI: ffff880174d48170 [ 989.763778] RBP: R08: ffff88021f4293b0 R09: 0000000000000000 [ 989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12: ffff880174d48008 [ 989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15: ffff88021db7a000 [ 989.764422] FS: 0000000000000000(0000) GS:ffff880247480000(0000) knlGS:ffff880247480000 [ 989.764685] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 989.764865] CR2: ffff8000007f6800 CR3: ---truncado---"}], "lastModified": "2025-09-22T20:03:53.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D4D4067-974D-4560-8320-22FDA399E3F9", "versionEndExcluding": "4.9.318"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6823775-2653-4644-A0D4-4E6E68F10C65", "versionEndExcluding": "4.14.283", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8CFA0F4-2D75-41F4-9753-87944A08B53B", "versionEndExcluding": "4.19.247", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EC49633-14DE-4EBD-BB80-76AE2E3EABB9", "versionEndExcluding": "5.4.198", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34ACD872-E5BC-401C-93D5-B357A62426E0", "versionEndExcluding": "5.10.121", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20D41697-0E8B-4B7D-8842-F17BF2AA21E1", "versionEndExcluding": "5.15.46", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252", "versionEndExcluding": "5.17.14", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}