lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025122458-CVE-2022-50770-ba3b@gregkh>
Date: Wed, 24 Dec 2025 14:06:21 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50770: ocfs2: fix memory leak in ocfs2_mount_volume()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix memory leak in ocfs2_mount_volume()

There is a memory leak reported by kmemleak:

  unreferenced object 0xffff88810cc65e60 (size 32):
    comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s)
    hex dump (first 32 bytes):
      10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01  ................
      01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00  ................
    backtrace:
      [<ffffffff8170f73d>] __kmalloc+0x4d/0x150
      [<ffffffffa0ac3f51>] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2]
      [<ffffffffa0b65165>] ocfs2_check_volume+0x485/0x900 [ocfs2]
      [<ffffffffa0b68129>] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2]
      [<ffffffffa0b7160b>] ocfs2_fill_super+0xe0b/0x1740 [ocfs2]
      [<ffffffff818e1fe2>] mount_bdev+0x312/0x400
      [<ffffffff819a086d>] legacy_get_tree+0xed/0x1d0
      [<ffffffff818de82d>] vfs_get_tree+0x7d/0x230
      [<ffffffff81957f92>] path_mount+0xd62/0x1760
      [<ffffffff81958a5a>] do_mount+0xca/0xe0
      [<ffffffff81958d3c>] __x64_sys_mount+0x12c/0x1a0
      [<ffffffff82f26f15>] do_syscall_64+0x35/0x80
      [<ffffffff8300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

This call stack is related to two problems.  Firstly, the ocfs2 super uses
"replay_map" to trace online/offline slots, in order to recover offline
slots during recovery and mount.  But when ocfs2_truncate_log_init()
returns an error in ocfs2_mount_volume(), the memory of "replay_map" will
not be freed in error handling path.  Secondly, the memory of "replay_map"
will not be freed if d_make_root() returns an error in ocfs2_fill_super().
But the memory of "replay_map" will be freed normally when completing
recovery and mount in ocfs2_complete_mount_recovery().

Fix the first problem by adding error handling path to free "replay_map"
when ocfs2_truncate_log_init() fails.  And fix the second problem by
calling ocfs2_free_replay_slots(osb) in the error handling path
"out_dismount".  In addition, since ocfs2_free_replay_slots() is static,
it is necessary to remove its static attribute and declare it in header
file.

The Linux kernel CVE team has assigned CVE-2022-50770 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.30 with commit 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 and fixed in 5.4.229 with commit 7ef516888c4d30ae41bfcd79e7077d86d92794c5
	Issue introduced in 2.6.30 with commit 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 and fixed in 5.10.163 with commit 2b7e59ed2e77136e9360274f8f0fc208a003e95c
	Issue introduced in 2.6.30 with commit 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 and fixed in 5.15.107 with commit 8059e200259e9c483d715fc2df6340c227c3e196
	Issue introduced in 2.6.30 with commit 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 and fixed in 6.0.16 with commit 4efe1d2db731bad19891e2fb9b338724b1f598cc
	Issue introduced in 2.6.30 with commit 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 and fixed in 6.1.2 with commit 50ab0ca3aff4da26037113d69f5a756d8c1a92cd
	Issue introduced in 2.6.30 with commit 9140db04ef185f934acf2b1b15b3dd5e6a6bfc22 and fixed in 6.2 with commit ce2fcf1516d674a174d9b34d1e1024d64de9fba3

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50770
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/ocfs2/journal.c
	fs/ocfs2/journal.h
	fs/ocfs2/super.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/7ef516888c4d30ae41bfcd79e7077d86d92794c5
	https://git.kernel.org/stable/c/2b7e59ed2e77136e9360274f8f0fc208a003e95c
	https://git.kernel.org/stable/c/8059e200259e9c483d715fc2df6340c227c3e196
	https://git.kernel.org/stable/c/4efe1d2db731bad19891e2fb9b338724b1f598cc
	https://git.kernel.org/stable/c/50ab0ca3aff4da26037113d69f5a756d8c1a92cd
	https://git.kernel.org/stable/c/ce2fcf1516d674a174d9b34d1e1024d64de9fba3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ