CVE-2022-50755

Vulnerability

CVE-2022-50755 describes a use-after-free style bug in the UDF filesystem implementation within the Linux kernel/fs/udf/namei.c. When udf_rename() calls udf_find_entry() and that function returns NULL, it still calls brelse() on both ofibh.sbh and ofibh.ebh buffer heads. However, udf_rename() also calls brelse() on the same buffer heads, resulting in a double free of the buffer head reference count. The kernel detects this via a WARN_ON in __brelse() and can cause system instability.

Exploitation

To trigger the bug, an attacker needs the ability to rename files within a UDF filesystem (mounted read-write) while the directory entry lookup fails. The attack surface is local, requiring the ability to execute a create UDF filesystem and perform rename operations with specific directory entry patterns that cause udf_find_entry() to return NULL. No authentication beyond normal file system access is needed.

Impact

The double brelse() causes the buffer head's b_count to become unbalanced, leading to a kernel warning and potentially a kernel panic (denial of service). The bug does not appear to allow arbitrary code execution or privilege escalation based on the official description and references.

Mitigation

Patches are available from the stable kernel trees [1][2][3]. The fix removes the redundant brelse() calls from udf_rename() when udf_find_entry() returns NULL, letting the lookup. Ensure systems are updated to a kernel version containing the fix.