-

CVE-2022-50753

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to do sanity check on summary info

As Wenqing Liu reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=216456

BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]
Read of size 4 at addr ffff8881464dcd80 by task mount/1013

CPU: 3 PID: 1013 Comm: mount Tainted: G        W          6.0.0-rc4 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
 dump_stack_lvl+0x45/0x5e
 print_report.cold+0xf3/0x68d
 kasan_report+0xa8/0x130
 recover_data+0x63ae/0x6ae0 [f2fs]
 f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]
 f2fs_fill_super+0x4665/0x61e0 [f2fs]
 mount_bdev+0x2cf/0x3b0
 legacy_get_tree+0xed/0x1d0
 vfs_get_tree+0x81/0x2b0
 path_mount+0x47e/0x19d0
 do_mount+0xce/0xf0
 __x64_sys_mount+0x12c/0x1a0
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node
is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size
page.

- recover_data
 - do_recover_data
  - check_index_in_prev_nodes
   - f2fs_data_blkaddr

This patch adds sanity check on summary info in recovery and GC flow
in where the flows rely on them.

After patch:
[   29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < c99860f9a75079f339ed7670425b1ac58f26e2ff
Version b292dcab068e141d8a820b77cbcc88d98c610eb4
Status affected
Version < 4a8e8bf280703e04e0b9d91f101e1fdd9a5bd09e
Version b292dcab068e141d8a820b77cbcc88d98c610eb4
Status affected
Version < 73687c53919f49dff3852155621dab7a35c52854
Version b292dcab068e141d8a820b77cbcc88d98c610eb4
Status affected
Version < e168f819bfa42459b14f479e55ebd550bcc78899
Version b292dcab068e141d8a820b77cbcc88d98c610eb4
Status affected
Version < 0922ad64ccefa3e483e84355942b86e13c8fea68
Version b292dcab068e141d8a820b77cbcc88d98c610eb4
Status affected
Version < c6ad7fd16657ebd34a87a97d9588195aae87597d
Version b292dcab068e141d8a820b77cbcc88d98c610eb4
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 3.11
Status affected
Version < 3.11
Version 0
Status unaffected
Version <= 5.4.*
Version 5.4.220
Status unaffected
Version <= 5.10.*
Version 5.10.150
Status unaffected
Version <= 5.15.*
Version 5.15.75
Status unaffected
Version <= 5.19.*
Version 5.19.17
Status unaffected
Version <= 6.0.*
Version 6.0.3
Status unaffected
Version <= *
Version 6.1
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.