| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022644-CVE-2022-49363-a93a@gregkh> Date: Wed, 26 Feb 2025 03:10:37 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49363: f2fs: fix to do sanity check on block address in f2fs_do_zero_range() Description =========== In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on block address in f2fs_do_zero_range() As Yanming reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215894 I have encountered a bug in F2FS file system in kernel v5.17. I have uploaded the system call sequence as case.c, and a fuzzed image can be found in google net disk The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can reproduce the bug by running the following commands: kernel BUG at fs/f2fs/segment.c:2291! Call Trace: f2fs_invalidate_blocks+0x193/0x2d0 f2fs_fallocate+0x2593/0x4a70 vfs_fallocate+0x2a5/0xac0 ksys_fallocate+0x35/0x70 __x64_sys_fallocate+0x8e/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is, after image was fuzzed, block mapping info in inode will be inconsistent with SIT table, so in f2fs_fallocate(), it will cause panic when updating SIT with invalid blkaddr. Let's fix the issue by adding sanity check on block address before updating SIT table with it. The Linux kernel CVE team has assigned CVE-2022-49363 to this issue. Affected and fixed versions =========================== Fixed in 5.4.198 with commit 7361c9f2bd6a8f0cbb41cdea9aff04765ff23f67 Fixed in 5.10.121 with commit a34d7b49894b0533222188a52e2958750f830efd Fixed in 5.15.46 with commit f2e1c38b5ac64eb1a16a89c52fb419409d12c25b Fixed in 5.17.14 with commit 470493be19a5730ed432e3ac0f29a2ee7fc6c557 Fixed in 5.18.3 with commit 805b48b234a2803cb7daec7f158af12f0fbaefac Fixed in 5.19 with commit 25f8236213a91efdf708b9d77e9e51b6fc3e141c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49363 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/f2fs/file.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7361c9f2bd6a8f0cbb41cdea9aff04765ff23f67 https://git.kernel.org/stable/c/a34d7b49894b0533222188a52e2958750f830efd https://git.kernel.org/stable/c/f2e1c38b5ac64eb1a16a89c52fb419409d12c25b https://git.kernel.org/stable/c/470493be19a5730ed432e3ac0f29a2ee7fc6c557 https://git.kernel.org/stable/c/805b48b234a2803cb7daec7f158af12f0fbaefac https://git.kernel.org/stable/c/25f8236213a91efdf708b9d77e9e51b6fc3e141c
Powered by blists - more mailing lists