CVE-2022-49174

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit<br /> <br /> In case of flex_bg feature (which is by default enabled), extents for<br /> any given inode might span across blocks from two different block group.<br /> ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the<br /> starting block group, but it fails to read it again when the extent length<br /> boundary overflows to another block group. Then in this below loop it<br /> accesses memory beyond the block group bitmap buffer_head and results<br /> into a data abort.<br /> <br /> for (i = 0; i b_data) == !state)<br /> already++;<br /> <br /> This patch adds this functionality for checking block group boundary in<br /> ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different<br /> block group.<br /> <br /> w/o this patch, I was easily able to hit a data access abort using Power platform.<br /> <br /> <br /> [ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters<br /> [ 74.533214] EXT4-fs (loop3): shut down requested (2)<br /> [ 74.536705] Aborting journal on device loop3-8.<br /> [ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000<br /> [ 74.703727] Faulting instruction address: 0xc0000000007bffb8<br /> cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060]<br /> pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0<br /> lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0<br /> sp: c000000015db7300<br /> msr: 800000000280b033<br /> dar: c00000005e980000<br /> dsisr: 40000000<br /> current = 0xc000000027af6880<br /> paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01<br /> pid = 5167, comm = mount<br /> <br /> enter ? for help<br /> [c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410<br /> [c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000<br /> [c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0<br /> [c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0<br /> [c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0<br /> [c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10<br /> [c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350<br /> [c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40<br /> [c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100<br /> [c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70<br /> [c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550<br /> [c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0<br /> [c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250