| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022655-CVE-2022-49428-9756@gregkh> Date: Wed, 26 Feb 2025 03:11:42 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49428: f2fs: fix to do sanity check on inline_dots inode Description =========== In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on inline_dots inode As Wenqing reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215765 It will cause a kernel panic with steps: - mkdir mnt - mount tmp40.img mnt - ls mnt folio_mark_dirty+0x33/0x50 f2fs_add_regular_entry+0x541/0xad0 [f2fs] f2fs_add_dentry+0x6c/0xb0 [f2fs] f2fs_do_add_link+0x182/0x230 [f2fs] __recover_dot_dentries+0x2d6/0x470 [f2fs] f2fs_lookup+0x5af/0x6a0 [f2fs] __lookup_slow+0xac/0x200 lookup_slow+0x45/0x70 walk_component+0x16c/0x250 path_lookupat+0x8b/0x1f0 filename_lookup+0xef/0x250 user_path_at_empty+0x46/0x70 vfs_statx+0x98/0x190 __do_sys_newlstat+0x41/0x90 __x64_sys_newlstat+0x1a/0x30 do_syscall_64+0x37/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is for special file: e.g. character, block, fifo or socket file, f2fs doesn't assign address space operations pointer array for mapping->a_ops field, so, in a fuzzed image, if inline_dots flag was tagged in special file, during lookup(), when f2fs runs into __recover_dot_dentries(), it will cause NULL pointer access once f2fs_add_regular_entry() calls a_ops->set_dirty_page(). The Linux kernel CVE team has assigned CVE-2022-49428 to this issue. Affected and fixed versions =========================== Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.15.46 with commit 250e5a6be52a6b9d82fe91976c83cc158868b4e9 Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.17.14 with commit 34f48ce5d5936eea33e3b6415403e57eb84aff97 Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.18.3 with commit 2f46160d0a19b13bfe96c0dd50eed5c5d253ab7a Issue introduced in 4.1 with commit 510022a85839a8409d1e6a519bb86ce71a84f30a and fixed in 5.19 with commit 12662d19467b391b5b509ac5e9ab4f583c6dde16 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49428 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/f2fs/namei.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/250e5a6be52a6b9d82fe91976c83cc158868b4e9 https://git.kernel.org/stable/c/34f48ce5d5936eea33e3b6415403e57eb84aff97 https://git.kernel.org/stable/c/2f46160d0a19b13bfe96c0dd50eed5c5d253ab7a https://git.kernel.org/stable/c/12662d19467b391b5b509ac5e9ab4f583c6dde16
Powered by blists - more mailing lists