CVE-2022-49349
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
26/02/2025
Last modified:
25/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: fix use-after-free in ext4_rename_dir_prepare<br />
<br />
We got issue as follows:<br />
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue<br />
ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478<br />
ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000<br />
ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae<br />
==================================================================<br />
BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220<br />
Read of size 4 at addr ffff88810beee6ae by task rep/1895<br />
<br />
CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241<br />
Call Trace:<br />
dump_stack+0xbe/0xf9<br />
print_address_description.constprop.0+0x1e/0x220<br />
kasan_report.cold+0x37/0x7f<br />
ext4_rename_dir_prepare+0x152/0x220<br />
ext4_rename+0xf44/0x1ad0<br />
ext4_rename2+0x11c/0x170<br />
vfs_rename+0xa84/0x1440<br />
do_renameat2+0x683/0x8f0<br />
__x64_sys_renameat+0x53/0x60<br />
do_syscall_64+0x33/0x40<br />
entry_SYSCALL_64_after_hwframe+0x44/0xa9<br />
RIP: 0033:0x7f45a6fc41c9<br />
RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108<br />
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9<br />
RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005<br />
RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080<br />
R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0<br />
R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000<br />
<br />
The buggy address belongs to the page:<br />
page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee<br />
flags: 0x200000000000000()<br />
raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000<br />
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000<br />
page dumped because: kasan: bad access detected<br />
<br />
Memory state around the buggy address:<br />
ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
>ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
^<br />
ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff<br />
==================================================================<br />
Disabling lock debugging due to kernel taint<br />
ext4_rename_dir_prepare: [2] parent_de->inode=3537895424<br />
ext4_rename_dir_prepare: [3] dir=0xffff888124170140<br />
ext4_rename_dir_prepare: [4] ino=2<br />
ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872<br />
<br />
Reason is first directory entry which &#39;rec_len&#39; is 34478, then will get illegal<br />
parent entry. Now, we do not check directory entry after read directory block<br />
in &#39;ext4_get_first_dir_block&#39;.<br />
To solve this issue, check directory entry in &#39;ext4_get_first_dir_block&#39;.<br />
<br />
[ Trigger an ext4_error() instead of just warning if the directory is<br />
missing a &#39;.&#39; or &#39;..&#39; entry. Also make sure we return an error code<br />
if the file system is corrupted. -TYT ]
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9.318 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.283 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.247 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.198 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.121 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.46 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.17.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.18 (including) | 5.18.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0be698ecbe4471fcad80e81ec6a05001421041b3
- https://git.kernel.org/stable/c/0ff38b99fa075ddd246487a28cb9af049f4ceef1
- https://git.kernel.org/stable/c/10801095224de0d0ab06ae60698680c1f883a3ae
- https://git.kernel.org/stable/c/1a3a15bf6f9963d755270cbdb282863b84839195
- https://git.kernel.org/stable/c/364380c00912bed9b5d99eb485018360b0ecf64f
- https://git.kernel.org/stable/c/4a2bea60cf7ff957b3eda0b17750d483876a02fa
- https://git.kernel.org/stable/c/97f802a652a749422dede32071d29a53cf4bd034
- https://git.kernel.org/stable/c/dd887f83ea54aea5b780a84527e23ab95f777fed
- https://git.kernel.org/stable/c/eaecf7ebfd5dd09038a80b14be46b844f54cfc5c