CVE-2022-49428

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to do sanity check on inline_dots inode<br /> <br /> As Wenqing reported in bugzilla:<br /> <br /> https://bugzilla.kernel.org/show_bug.cgi?id=215765<br /> <br /> It will cause a kernel panic with steps:<br /> - mkdir mnt<br /> - mount tmp40.img mnt<br /> - ls mnt<br /> <br /> folio_mark_dirty+0x33/0x50<br /> f2fs_add_regular_entry+0x541/0xad0 [f2fs]<br /> f2fs_add_dentry+0x6c/0xb0 [f2fs]<br /> f2fs_do_add_link+0x182/0x230 [f2fs]<br /> __recover_dot_dentries+0x2d6/0x470 [f2fs]<br /> f2fs_lookup+0x5af/0x6a0 [f2fs]<br /> __lookup_slow+0xac/0x200<br /> lookup_slow+0x45/0x70<br /> walk_component+0x16c/0x250<br /> path_lookupat+0x8b/0x1f0<br /> filename_lookup+0xef/0x250<br /> user_path_at_empty+0x46/0x70<br /> vfs_statx+0x98/0x190<br /> __do_sys_newlstat+0x41/0x90<br /> __x64_sys_newlstat+0x1a/0x30<br /> do_syscall_64+0x37/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The root cause is for special file: e.g. character, block, fifo or<br /> socket file, f2fs doesn&amp;#39;t assign address space operations pointer array<br /> for mapping-&gt;a_ops field, so, in a fuzzed image, if inline_dots flag was<br /> tagged in special file, during lookup(), when f2fs runs into<br /> __recover_dot_dentries(), it will cause NULL pointer access once<br /> f2fs_add_regular_entry() calls a_ops-&gt;set_dirty_page().