| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022632-CVE-2022-49282-9868@gregkh> Date: Wed, 26 Feb 2025 02:58:07 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49282: f2fs: quota: fix loop condition at f2fs_quota_sync() Description =========== In the Linux kernel, the following vulnerability has been resolved: f2fs: quota: fix loop condition at f2fs_quota_sync() cnt should be passed to sb_has_quota_active() instead of type to check active quota properly. Moreover, when the type is -1, the compiler with enough inline knowledge can discard sb_has_quota_active() check altogether, causing a NULL pointer dereference at the following inode_lock(dqopt->files[cnt]): [ 2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 [ 2.796024] Mem abort info: [ 2.796025] ESR = 0x96000005 [ 2.796028] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.796029] SET = 0, FnV = 0 [ 2.796031] EA = 0, S1PTW = 0 [ 2.796032] Data abort info: [ 2.796034] ISV = 0, ISS = 0x00000005 [ 2.796035] CM = 0, WnR = 0 [ 2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000 [ 2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000 [ 2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S 5.4.179-arter97-r8-64666-g2f16e087f9d8 #1 [ 2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT) [ 2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO) [ 2.796065] pc : down_write+0x28/0x70 [ 2.796070] lr : f2fs_quota_sync+0x100/0x294 [ 2.796071] sp : ffffffa3f48ffc30 [ 2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000 [ 2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80 [ 2.796077] x25: ffffffa3f7290048 x24: 0000000000000001 [ 2.796078] x23: 0000000000000000 x22: ffffffa3f7290000 [ 2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110 [ 2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038 [ 2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0 [ 2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0 [ 2.796086] x13: 00000000000004f6 x12: 00162c44ff493000 [ 2.796088] x11: 0000000000000400 x10: ffffffa40e38c948 [ 2.796090] x9 : 0000000000000000 x8 : 00000000000000a0 [ 2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a [ 2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d [ 2.796094] x3 : 00000000060c0000 x2 : 0000000000000001 [ 2.796096] x1 : 0000000000000000 x0 : 00000000000000a0 [ 2.796098] Call trace: [ 2.796100] down_write+0x28/0x70 [ 2.796102] f2fs_quota_sync+0x100/0x294 [ 2.796104] block_operations+0x120/0x204 [ 2.796106] f2fs_write_checkpoint+0x11c/0x520 [ 2.796107] __checkpoint_and_complete_reqs+0x7c/0xd34 [ 2.796109] issue_checkpoint_thread+0x6c/0xb8 [ 2.796112] kthread+0x138/0x414 [ 2.796114] ret_from_fork+0x10/0x18 [ 2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02) [ 2.796120] ---[ end trace 96e942e8eb6a0b53 ]--- [ 2.800116] Kernel panic - not syncing: Fatal exception [ 2.800120] SMP: stopping secondary CPUs The Linux kernel CVE team has assigned CVE-2022-49282 to this issue. Affected and fixed versions =========================== Issue introduced in 5.4.148 with commit a02982545e61020c23f411b073ba5171381138e4 and fixed in 5.4.189 with commit f1d5946d47c0827bae39e1537959ce8d6f0224c5 Issue introduced in 5.10.67 with commit 2d586a3f5b7ec2f5a939db4abc9aa053c237545c and fixed in 5.10.110 with commit e58ee6bd939b773675240f5d0f5b88a367c037c4 Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.15.33 with commit f9156db0987f1b426015d56505e2c58dee70c90d Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.16.19 with commit e9ebf1e8fc50b6a9336f9aea1082d7845e568d0e Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.17.2 with commit 724469814d805820cd37ea789769dba94123ff1a Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.18 with commit 680af5b824a52faa819167628665804a14f0e0df Issue introduced in 5.13.19 with commit 9dd5052a8a8be252990c1bb451b51f32529411ef Issue introduced in 5.14.6 with commit 699a077aa087c17cf29c7170db71a34141e2effe Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49282 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/f2fs/super.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/f1d5946d47c0827bae39e1537959ce8d6f0224c5 https://git.kernel.org/stable/c/e58ee6bd939b773675240f5d0f5b88a367c037c4 https://git.kernel.org/stable/c/f9156db0987f1b426015d56505e2c58dee70c90d https://git.kernel.org/stable/c/e9ebf1e8fc50b6a9336f9aea1082d7845e568d0e https://git.kernel.org/stable/c/724469814d805820cd37ea789769dba94123ff1a https://git.kernel.org/stable/c/680af5b824a52faa819167628665804a14f0e0df
Powered by blists - more mailing lists