CVE-2022-50839

Vulnerability

Description

In the Linux kernel's jbd2 journaling subsystem, the function jbd2_fc_wait_bufs may return an -EIO error without updating the journal a buffer is not uptodate without updating the journal's j_fc_off field. This causes jbd2_fc_release_bufs to release buffer heads from an incorrect offset, leading to a reference count leak on the buffer head [1][2].

Exploitation

An attacker would need to trigger a journal I/O error that causes a buffer to be not uptodate during fast commit processing. This requires local access to the system and the ability to induce a storage error or mount a filesystem with journaling enabled. No special privileges beyond normal filesystem access are needed to trigger the code path.

Impact

A successful exploitation results in a buffer head reference count leak, which can lead to memory exhaustion over time and a denial of service condition. The leak the system becomes unstable or crashes. The vulnerability does not directly allow code execution or privilege escalation.

Mitigation

The fix updates journal->j_fc_off before returning -EIO in jbd2_fc_wait_bufs, ensuring that jbd2_fc_release_bufs correctly releases all buffer heads. The patch has been applied to the stable kernel tree [1][2]. Users should apply the latest kernel updates from their distribution.