| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061826-CVE-2022-49996-71e2@gregkh> Date: Wed, 18 Jun 2025 13:01:01 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-49996: btrfs: fix possible memory leak in btrfs_get_dev_args_from_path() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: btrfs: fix possible memory leak in btrfs_get_dev_args_from_path() In btrfs_get_dev_args_from_path(), btrfs_get_bdev_and_sb() can fail if the path is invalid. In this case, btrfs_get_dev_args_from_path() returns directly without freeing args->uuid and args->fsid allocated before, which causes memory leak. To fix these possible leaks, when btrfs_get_bdev_and_sb() fails, btrfs_put_dev_args_from_path() is called to clean up the memory. The Linux kernel CVE team has assigned CVE-2022-49996 to this issue. Affected and fixed versions =========================== Issue introduced in 5.15.54 with commit 321a81835b4aed4f717f89921286f6544ffa8be9 and fixed in 5.15.64 with commit 5f52402c77013e4a826394b807dd5ea4dc83bd72 Issue introduced in 5.16 with commit faa775c41d655a4786e9d53cb075a77bb5a75f66 and fixed in 5.19.6 with commit 4b124ad87244cd7f0883c5eaa38d2326b2154cad Issue introduced in 5.16 with commit faa775c41d655a4786e9d53cb075a77bb5a75f66 and fixed in 6.0 with commit 9ea0106a7a3d8116860712e3f17cd52ce99f6707 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49996 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/btrfs/volumes.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/5f52402c77013e4a826394b807dd5ea4dc83bd72 https://git.kernel.org/stable/c/4b124ad87244cd7f0883c5eaa38d2326b2154cad https://git.kernel.org/stable/c/9ea0106a7a3d8116860712e3f17cd52ce99f6707
Powered by blists - more mailing lists