CVE-2022-49999

{"id": "CVE-2022-49999", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:27.673", "references": [{"url": "https://git.kernel.org/stable/c/92dc4c1a8e58bcc7a183a4c86b055c24cc88d967", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2e54eb64229f07f917b05d0c323604fda9b89f7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ced8ecf026fd8084cf175530ff85c76d6085d715", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix space cache corruption and potential double allocations\n\nWhen testing space_cache v2 on a large set of machines, we encountered a\nfew symptoms:\n\n1. \"unable to add free space :-17\" (EEXIST) errors.\n2. Missing free space info items, sometimes caught with a \"missing free\n space info for X\" error.\n3. Double-accounted space: ranges that were allocated in the extent tree\n and also marked as free in the free space tree, ranges that were\n marked as allocated twice in the extent tree, or ranges that were\n marked as free twice in the free space tree. If the latter made it\n onto disk, the next reboot would hit the BUG_ON() in\n add_new_free_space().\n4. On some hosts with no on-disk corruption or error messages, the\n in-memory space cache (dumped with drgn) disagreed with the free\n space tree.\n\nAll of these symptoms have the same underlying cause: a race between\ncaching the free space for a block group and returning free space to the\nin-memory space cache for pinned extents causes us to double-add a free\nrange to the space cache. This race exists when free space is cached\nfrom the free space tree (space_cache=v2) or the extent tree\n(nospace_cache, or space_cache=v1 if the cache needs to be regenerated).\nstruct btrfs_block_group::last_byte_to_unpin and struct\nbtrfs_block_group::progress are supposed to protect against this race,\nbut commit d0c2f4fa555e (\"btrfs: make concurrent fsyncs wait less when\nwaiting for a transaction commit\") subtly broke this by allowing\nmultiple transactions to be unpinning extents at the same time.\n\nSpecifically, the race is as follows:\n\n1. An extent is deleted from an uncached block group in transaction A.\n2. btrfs_commit_transaction() is called for transaction A.\n3. btrfs_run_delayed_refs() -> __btrfs_free_extent() runs the delayed\n ref for the deleted extent.\n4. __btrfs_free_extent() -> do_free_extent_accounting() ->\n add_to_free_space_tree() adds the deleted extent back to the free\n space tree.\n5. do_free_extent_accounting() -> btrfs_update_block_group() ->\n btrfs_cache_block_group() queues up the block group to get cached.\n block_group->progress is set to block_group->start.\n6. btrfs_commit_transaction() for transaction A calls\n switch_commit_roots(). It sets block_group->last_byte_to_unpin to\n block_group->progress, which is block_group->start because the block\n group hasn't been cached yet.\n7. The caching thread gets to our block group. Since the commit roots\n were already switched, load_free_space_tree() sees the deleted extent\n as free and adds it to the space cache. It finishes caching and sets\n block_group->progress to U64_MAX.\n8. btrfs_commit_transaction() advances transaction A to\n TRANS_STATE_SUPER_COMMITTED.\n9. fsync calls btrfs_commit_transaction() for transaction B. Since\n transaction A is already in TRANS_STATE_SUPER_COMMITTED and the\n commit is for fsync, it advances.\n10. btrfs_commit_transaction() for transaction B calls\n switch_commit_roots(). This time, the block group has already been\n cached, so it sets block_group->last_byte_to_unpin to U64_MAX.\n11. btrfs_commit_transaction() for transaction A calls\n btrfs_finish_extent_commit(), which calls unpin_extent_range() for\n the deleted extent. It sees last_byte_to_unpin set to U64_MAX (by\n transaction B!), so it adds the deleted extent to the space cache\n again!\n\nThis explains all of our symptoms above:\n\n* If the sequence of events is exactly as described above, when the free\n space is re-added in step 11, it will fail with EEXIST.\n* If another thread reallocates the deleted extent in between steps 7\n and 11, then step 11 will silently re-add that space to the space\n cache as free even though it is actually allocated. Then, if that\n space is allocated *again*, the free space tree will be corrupted\n (namely, the wrong item will be deleted).\n* If we don't catch this free space tree corr\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: correcci\u00f3n de corrupci\u00f3n de cach\u00e9 de espacio y posibles asignaciones dobles. Al probar space_cache v2 en un conjunto grande de m\u00e1quinas, encontramos algunos s\u00edntomas: 1. Errores \"no se puede agregar espacio libre :-17\" (EEXIST). 2. Falta de informaci\u00f3n de espacio libre, a veces detectados con el error \"falta informaci\u00f3n de espacio libre para X\". 3. Espacio contabilizado dos veces: rangos asignados en el \u00e1rbol de extensiones y marcados como libres en dicho \u00e1rbol, rangos marcados como asignados dos veces en el \u00e1rbol de extensiones o rangos marcados como libres dos veces en dicho \u00e1rbol. Si estos \u00faltimos se almacenaban en el disco, el siguiente reinicio generar\u00eda el error BUG_ON() en add_new_free_space(). 4. En algunos hosts sin corrupci\u00f3n en disco ni mensajes de error, la cach\u00e9 de espacio en memoria (volcada con drgn) no coincid\u00eda con el \u00e1rbol de espacio libre. Todos estos s\u00edntomas tienen la misma causa subyacente: una competencia entre el almacenamiento en cach\u00e9 del espacio libre de un grupo de bloques y su devoluci\u00f3n a la cach\u00e9 de espacio en memoria para las extensiones fijadas provoca la duplicaci\u00f3n de un rango libre en la cach\u00e9 de espacio. Esta competencia se produce cuando se almacena en cach\u00e9 el espacio libre del \u00e1rbol de espacio libre (space_cache=v2) o del \u00e1rbol de extensiones (nospace_cache, o space_cache=v1 si es necesario regenerar la cach\u00e9). Se supone que struct btrfs_block_group::last_byte_to_unpin y struct btrfs_block_group::progress protegen contra esta competencia, pero el commit d0c2f4fa555e (\"btrfs: hacer que las sincronizaciones simult\u00e1neas esperen menos al esperar el commit de una transacci\u00f3n\") interrumpi\u00f3 esto sutilmente al permitir que varias transacciones desanclaran extensiones simult\u00e1neamente. Espec\u00edficamente, la ejecuci\u00f3n es la siguiente: 1. Se elimina una extensi\u00f3n de un grupo de bloques no almacenados en cach\u00e9 en la transacci\u00f3n A. 2. Se llama a btrfs_commit_transaction() para la transacci\u00f3n A. 3. btrfs_run_delayed_refs() -> __btrfs_free_extent() ejecuta la referencia retrasada para la extensi\u00f3n eliminada. 4. __btrfs_free_extent() -> do_free_extent_accounting() -> add_to_free_space_tree() agrega la extensi\u00f3n eliminada nuevamente al \u00e1rbol de espacio libre. 5. do_free_extent_accounting() -> btrfs_update_block_group() -> btrfs_cache_block_group() pone en cola el grupo de bloques para almacenar en cach\u00e9. block_group->progress se establece en block_group->start. 6. btrfs_commit_transaction() para la transacci\u00f3n A llama a switch_commit_roots(). Establece block_group->last_byte_to_unpin en block_group->progress, que es block_group->start porque el grupo de bloques a\u00fan no se ha almacenado en cach\u00e9. 7. El hilo de cach\u00e9 accede a nuestro grupo de bloques. Dado que las ra\u00edces de las confirmaciones ya se han cambiado, load_free_space_tree() detecta la extensi\u00f3n eliminada como libre y la a\u00f1ade a la cach\u00e9 de espacio. Finaliza el almacenamiento en cach\u00e9 y establece block_group->progress en U64_MAX. 8. btrfs_commit_transaction() avanza la transacci\u00f3n A a TRANS_STATE_SUPER_COMMITTED. 9. fsync llama a btrfs_commit_transaction() para la transacci\u00f3n B. Dado que la transacci\u00f3n A ya est\u00e1 en TRANS_STATE_SUPER_COMMITTED y el commit es para fsync, avanza. 10. btrfs_commit_transaction() para la transacci\u00f3n B llama a switch_commit_roots(). Esta vez, el grupo de bloques ya se ha almacenado en cach\u00e9, por lo que establece block_group->last_byte_to_unpin en U64_MAX. 11. btrfs_commit_transaction() para la transacci\u00f3n A llama a btrfs_finish_extent_commit(), que llama a unpin_extent_range() para la extensi\u00f3n eliminada. Ve que last_byte_to_unpin est\u00e1 establecido en U64_MAX (\u00a1por la transacci\u00f3n B!), por lo que vuelve a a\u00f1adir la extensi\u00f3n eliminada a la cach\u00e9 de espacio. Esto explica todos nuestros s\u00edntomas anteriores: * Si la secuencia de eventos es exactamente la descrita anteriormente, cuando se vuelve a a\u00f1adir el espacio libre en el paso 11, fallar\u00e1 con EEXIST. * ---truncado---"}], "lastModified": "2025-11-14T16:42:15.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8BA149A8-604D-4FDD-8438-A9C8D5FF0E10", "versionEndExcluding": "5.15.65", "versionStartIncluding": "5.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89E99903-E16D-475D-954B-2BAC46C98262", "versionEndExcluding": "5.19.6", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}