| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022652-CVE-2022-49409-b4e3@gregkh>
Date: Wed, 26 Feb 2025 03:11:23 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49409: ext4: fix bug_on in __es_tree_search
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix bug_on in __es_tree_search
Hulk Robot reported a BUG_ON:
==================================================================
kernel BUG at fs/ext4/extents_status.c:199!
[...]
RIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]
RIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217
[...]
Call Trace:
ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766
ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561
ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964
ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384
ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567
ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980
ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031
ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257
v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63
v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82
vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368
dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490
ext4_quota_enable fs/ext4/super.c:6137 [inline]
ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163
ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754
mount_bdev+0x2e9/0x3b0 fs/super.c:1158
mount_fs+0x4b/0x1e4 fs/super.c:1261
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_enable_quotas
ext4_quota_enable
ext4_iget
__ext4_iget
ext4_ext_check_inode
ext4_ext_check
__ext4_ext_check
ext4_valid_extent_entries
Check for overlapping extents does't take effect
dquot_enable
vfs_load_quota_inode
v2_check_quota_file
v2_read_header
ext4_quota_read
ext4_bread
ext4_getblk
ext4_map_blocks
ext4_ext_map_blocks
ext4_find_extent
ext4_cache_extents
ext4_es_cache_extent
ext4_es_cache_extent
__es_tree_search
ext4_es_end
BUG_ON(es->es_lblk + es->es_len < es->es_lblk)
The error ext4 extents is as follows:
0af3 0300 0400 0000 00000000 extent_header
00000000 0100 0000 12000000 extent1
00000000 0100 0000 18000000 extent2
02000000 0400 0000 14000000 extent3
In the ext4_valid_extent_entries function,
if prev is 0, no error is returned even if lblock<=prev.
This was intended to skip the check on the first extent, but
in the error image above, prev=0+1-1=0 when checking the second extent,
so even though lblock<=prev, the function does not return an error.
As a result, bug_ON occurs in __es_tree_search and the system panics.
To solve this problem, we only need to check that:
1. The lblock of the first extent is not less than 0.
2. The lblock of the next extent is not less than
the next block of the previous extent.
The same applies to extent_idx.
The Linux kernel CVE team has assigned CVE-2022-49409 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.4.277 with commit d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f
Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.10.121 with commit 4fd58b5cf118d2d9038a0b8c9cc0e43096297686
Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.15.46 with commit 3c617827cd51018bc377bd2954e176920ddbcfad
Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.17.14 with commit 59cf2fabbfe76de29d88dd7ae69858a25735b59f
Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.18.3 with commit ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a
Issue introduced in 3.13 with commit 5946d089379a35dda0e531710b48fca05446a196 and fixed in 5.19 with commit d36f6ed761b53933b0b4126486c10d3da7751e7f
Issue introduced in 3.2.55 with commit 4645e4ee32aee01a85bdc03348982a65c65ce216
Issue introduced in 3.4.76 with commit a1192c0e5d037def6763f3873d3340615c241fe7
Issue introduced in 3.10.26 with commit ae21dda05193c441bde106a4bbf88c185a68fbed
Issue introduced in 3.12.7 with commit ea214c946ee77588c4313be3e9951edd25d6b270
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49409
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/ext4/extents.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f
https://git.kernel.org/stable/c/4fd58b5cf118d2d9038a0b8c9cc0e43096297686
https://git.kernel.org/stable/c/3c617827cd51018bc377bd2954e176920ddbcfad
https://git.kernel.org/stable/c/59cf2fabbfe76de29d88dd7ae69858a25735b59f
https://git.kernel.org/stable/c/ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a
https://git.kernel.org/stable/c/d36f6ed761b53933b0b4126486c10d3da7751e7f
Powered by blists - more mailing lists