CVE-2022-50638
Publication date:
09/12/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode<br />
<br />
We got a issue as fllows:<br />
==================================================================<br />
kernel BUG at fs/ext4/extents_status.c:203!<br />
invalid opcode: 0000 [#1] PREEMPT SMP<br />
CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349<br />
RIP: 0010:ext4_es_end.isra.0+0x34/0x42<br />
RSP: 0018:ffffc9000143b768 EFLAGS: 00010203<br />
RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000<br />
RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff<br />
RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8<br />
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0<br />
R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000<br />
FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
__es_tree_search.isra.0+0x6d/0xf5<br />
ext4_es_cache_extent+0xfa/0x230<br />
ext4_cache_extents+0xd2/0x110<br />
ext4_find_extent+0x5d5/0x8c0<br />
ext4_ext_map_blocks+0x9c/0x1d30<br />
ext4_map_blocks+0x431/0xa50<br />
ext4_mpage_readpages+0x48e/0xe40<br />
ext4_readahead+0x47/0x50<br />
read_pages+0x82/0x530<br />
page_cache_ra_unbounded+0x199/0x2a0<br />
do_page_cache_ra+0x47/0x70<br />
page_cache_ra_order+0x242/0x400<br />
ondemand_readahead+0x1e8/0x4b0<br />
page_cache_sync_ra+0xf4/0x110<br />
filemap_get_pages+0x131/0xb20<br />
filemap_read+0xda/0x4b0<br />
generic_file_read_iter+0x13a/0x250<br />
ext4_file_read_iter+0x59/0x1d0<br />
vfs_read+0x28f/0x460<br />
ksys_read+0x73/0x160<br />
__x64_sys_read+0x1e/0x30<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
==================================================================<br />
<br />
In the above issue, ioctl invokes the swap_inode_boot_loader function to<br />
swap inode and inode. However, inode contain incorrect imode and<br />
disordered extents, and i_nlink is set to 1. The extents check for inode in<br />
the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.<br />
While links_count is set to 1, the extents are not initialized in<br />
swap_inode_boot_loader. After the ioctl command is executed successfully,<br />
the extents are swapped to inode, in this case, run the `cat` command<br />
to view inode. And Bug_ON is triggered due to the incorrect extents.<br />
<br />
When the boot loader inode is not initialized, its imode can be one of the<br />
following:<br />
1) the imode is a bad type, which is marked as bad_inode in ext4_iget and<br />
set to S_IFREG.<br />
2) the imode is good type but not S_IFREG.<br />
3) the imode is S_IFREG.<br />
<br />
The BUG_ON may be triggered by bypassing the check in cases 1 and 2.<br />
Therefore, when the boot loader inode is bad_inode or its imode is not<br />
S_IFREG, initialize the inode to avoid triggering the BUG.
Severity CVSS v4.0: Pending analysis
Last modification:
09/12/2025