CVE-2022-50753

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to do sanity check on summary info<br /> <br /> As Wenqing Liu reported in bugzilla:<br /> <br /> https://bugzilla.kernel.org/show_bug.cgi?id=216456<br /> <br /> BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]<br /> Read of size 4 at addr ffff8881464dcd80 by task mount/1013<br /> <br /> CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> dump_stack_lvl+0x45/0x5e<br /> print_report.cold+0xf3/0x68d<br /> kasan_report+0xa8/0x130<br /> recover_data+0x63ae/0x6ae0 [f2fs]<br /> f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]<br /> f2fs_fill_super+0x4665/0x61e0 [f2fs]<br /> mount_bdev+0x2cf/0x3b0<br /> legacy_get_tree+0xed/0x1d0<br /> vfs_get_tree+0x81/0x2b0<br /> path_mount+0x47e/0x19d0<br /> do_mount+0xce/0xf0<br /> __x64_sys_mount+0x12c/0x1a0<br /> do_syscall_64+0x38/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node<br /> is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size<br /> page.<br /> <br /> - recover_data<br /> - do_recover_data<br /> - check_index_in_prev_nodes<br /> - f2fs_data_blkaddr<br /> <br /> This patch adds sanity check on summary info in recovery and GC flow<br /> in where the flows rely on them.<br /> <br /> After patch:<br /> [ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018