| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120947-CVE-2022-50673-f920@gregkh>
Date: Tue, 9 Dec 2025 10:30:58 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50673: ext4: fix use-after-free in ext4_orphan_cleanup
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in ext4_orphan_cleanup
I caught a issue as follows:
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
Read of size 8 at addr ffff88814b13f378 by task mount/710
CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
Call Trace:
<TASK>
dump_stack_lvl+0x73/0x9f
print_report+0x25d/0x759
kasan_report+0xc0/0x120
__asan_load8+0x99/0x140
__list_add_valid+0x28/0x1a0
ext4_orphan_cleanup+0x564/0x9d0 [ext4]
__ext4_fill_super+0x48e2/0x5300 [ext4]
ext4_fill_super+0x19f/0x3a0 [ext4]
get_tree_bdev+0x27b/0x450
ext4_get_tree+0x19/0x30 [ext4]
vfs_get_tree+0x49/0x150
path_mount+0xaae/0x1350
do_mount+0xe2/0x110
__x64_sys_mount+0xf0/0x190
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_orphan_cleanup
--- loop1: assume last_orphan is 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
ext4_truncate --> return 0
ext4_inode_attach_jinode --> return -ENOMEM
iput(inode) --> free inode<12>
--- loop2: last_orphan is still 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
// use inode<12> and trigger UAF
To solve this issue, we need to propagate the return value of
ext4_inode_attach_jinode() appropriately.
The Linux kernel CVE team has assigned CVE-2022-50673 to this issue.
Affected and fixed versions
===========================
Fixed in 4.19.270 with commit 7f801a1593cb957f73659732836b2dafbdfc7709
Fixed in 5.4.229 with commit 026a4490b5381229a30f23d073b58e8e35ee6858
Fixed in 5.10.163 with commit 7223d5e75f26352354ea2c0ccf8b579821b52adf
Fixed in 5.15.87 with commit cf0e0817b0f925b70d101d7014ea81b7094e1159
Fixed in 6.0.18 with commit c2bdbd4c69308835d1b6f6ba74feeccbfe113478
Fixed in 6.1.4 with commit 7908b8a541b1578cc61b4da7f19b604a931441da
Fixed in 6.2 with commit a71248b1accb2b42e4980afef4fa4a27fa0e36f5
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-50673
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/ext4/inode.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709
https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858
https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf
https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159
https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478
https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da
https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5
Powered by blists - more mailing lists