| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022641-CVE-2022-49343-bddc@gregkh> Date: Wed, 26 Feb 2025 03:10:17 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49343: ext4: avoid cycles in directory h-tree Description =========== In the Linux kernel, the following vulnerability has been resolved: ext4: avoid cycles in directory h-tree A maliciously corrupted filesystem can contain cycles in the h-tree stored inside a directory. That can easily lead to the kernel corrupting tree nodes that were already verified under its hands while doing a node split and consequently accessing unallocated memory. Fix the problem by verifying traversed block numbers are unique. The Linux kernel CVE team has assigned CVE-2022-49343 to this issue. Affected and fixed versions =========================== Fixed in 4.14.283 with commit 24b8206fec1db21d7e82f21f0b2ff5e5672cf5b3 Fixed in 4.19.247 with commit b3ad9ff6f06c1dc6abf7437691c88ca3d6da3ac0 Fixed in 5.4.198 with commit e157c8f87e8fac112d6c955e69a60cdb9bc80a60 Fixed in 5.10.121 with commit ff4cafa51762da3824881a9000ca421d4b78b138 Fixed in 5.15.46 with commit 3a3ce941645407cd0b0b7f01ad9e2ea3770f46cc Fixed in 5.17.14 with commit d5a16a6df2c16eaf4de04948553ef0089dee463f Fixed in 5.18.3 with commit 6084240bfc44bf265ab6ae7d96980469b05be0f1 Fixed in 5.19 with commit 3ba733f879c2a88910744647e41edeefbc0d92b2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49343 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/ext4/namei.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/24b8206fec1db21d7e82f21f0b2ff5e5672cf5b3 https://git.kernel.org/stable/c/b3ad9ff6f06c1dc6abf7437691c88ca3d6da3ac0 https://git.kernel.org/stable/c/e157c8f87e8fac112d6c955e69a60cdb9bc80a60 https://git.kernel.org/stable/c/ff4cafa51762da3824881a9000ca421d4b78b138 https://git.kernel.org/stable/c/3a3ce941645407cd0b0b7f01ad9e2ea3770f46cc https://git.kernel.org/stable/c/d5a16a6df2c16eaf4de04948553ef0089dee463f https://git.kernel.org/stable/c/6084240bfc44bf265ab6ae7d96980469b05be0f1 https://git.kernel.org/stable/c/3ba733f879c2a88910744647e41edeefbc0d92b2
Powered by blists - more mailing lists