CVE-2022-50673
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/12/2025
Última modificación:
09/12/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: fix use-after-free in ext4_orphan_cleanup<br />
<br />
I caught a issue as follows:<br />
==================================================================<br />
BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0<br />
Read of size 8 at addr ffff88814b13f378 by task mount/710<br />
<br />
CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x73/0x9f<br />
print_report+0x25d/0x759<br />
kasan_report+0xc0/0x120<br />
__asan_load8+0x99/0x140<br />
__list_add_valid+0x28/0x1a0<br />
ext4_orphan_cleanup+0x564/0x9d0 [ext4]<br />
__ext4_fill_super+0x48e2/0x5300 [ext4]<br />
ext4_fill_super+0x19f/0x3a0 [ext4]<br />
get_tree_bdev+0x27b/0x450<br />
ext4_get_tree+0x19/0x30 [ext4]<br />
vfs_get_tree+0x49/0x150<br />
path_mount+0xaae/0x1350<br />
do_mount+0xe2/0x110<br />
__x64_sys_mount+0xf0/0x190<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
<br />
[...]<br />
==================================================================<br />
<br />
Above issue may happen as follows:<br />
-------------------------------------<br />
ext4_fill_super<br />
ext4_orphan_cleanup<br />
--- loop1: assume last_orphan is 12 ---<br />
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)<br />
ext4_truncate --> return 0<br />
ext4_inode_attach_jinode --> return -ENOMEM<br />
iput(inode) --> free inode<br />
--- loop2: last_orphan is still 12 ---<br />
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);<br />
// use inode and trigger UAF<br />
<br />
To solve this issue, we need to propagate the return value of<br />
ext4_inode_attach_jinode() appropriately.
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858
- https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf
- https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da
- https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709
- https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5
- https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478
- https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159