CVE-2022-49276

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jffs2: fix memory leak in jffs2_scan_medium<br /> <br /> If an error is returned in jffs2_scan_eraseblock() and some memory<br /> has been added to the jffs2_summary *s, we can observe the following<br /> kmemleak report:<br /> <br /> --------------------------------------------<br /> unreferenced object 0xffff88812b889c40 (size 64):<br /> comm "mount", pid 692, jiffies 4294838325 (age 34.288s)<br /> hex dump (first 32 bytes):<br /> 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P.<br /> 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................<br /> backtrace:<br /> [] __kmalloc+0x613/0x910<br /> [] jffs2_sum_add_dirent_mem+0x5c/0xa0<br /> [] jffs2_scan_medium.cold+0x36e5/0x4794<br /> [] jffs2_do_mount_fs.cold+0xa7/0x2267<br /> [] jffs2_do_fill_super+0x383/0xc30<br /> [] jffs2_fill_super+0x2ea/0x4c0<br /> [] mtd_get_sb+0x254/0x400<br /> [] mtd_get_sb_by_nr+0x4f/0xd0<br /> [] get_tree_mtd+0x498/0x840<br /> [] jffs2_get_tree+0x25/0x30<br /> [] vfs_get_tree+0x8d/0x2e0<br /> [] path_mount+0x50f/0x1e50<br /> [] do_mount+0x107/0x130<br /> [] __se_sys_mount+0x1c5/0x2f0<br /> [] __x64_sys_mount+0xc7/0x160<br /> [] do_syscall_64+0x45/0x70<br /> unreferenced object 0xffff888114b54840 (size 32):<br /> comm "mount", pid 692, jiffies 4294838325 (age 34.288s)<br /> hex dump (first 32 bytes):<br /> c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u..............<br /> 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk.<br /> backtrace:<br /> [] kmem_cache_alloc_trace+0x584/0x880<br /> [] jffs2_sum_add_inode_mem+0x54/0x90<br /> [] jffs2_scan_medium.cold+0x4481/0x4794<br /> [...]<br /> unreferenced object 0xffff888114b57280 (size 32):<br /> comm "mount", pid 692, jiffies 4294838393 (age 34.357s)<br /> hex dump (first 32 bytes):<br /> 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l.............<br /> 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk.<br /> backtrace:<br /> [] kmem_cache_alloc_trace+0x584/0x880<br /> [] jffs2_sum_add_xattr_mem+0x54/0x90<br /> [] jffs2_scan_medium.cold+0x298c/0x4794<br /> [...]<br /> unreferenced object 0xffff8881116cd510 (size 16):<br /> comm "mount", pid 692, jiffies 4294838395 (age 34.355s)<br /> hex dump (first 16 bytes):<br /> 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k.<br /> backtrace:<br /> [] kmem_cache_alloc_trace+0x584/0x880<br /> [] jffs2_sum_add_xref_mem+0x54/0x90<br /> [] jffs2_scan_medium.cold+0x3a20/0x4794<br /> [...]<br /> --------------------------------------------<br /> <br /> Therefore, we should call jffs2_sum_reset_collected(s) on exit to<br /> release the memory added in s. In addition, a new tag "out_buf" is<br /> added to prevent the NULL pointer reference caused by s being NULL.<br /> (thanks to Zhang Yi for this analysis)