Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49075

Severity CVSS v4.0:
Pending analysis
Type:
CWE-190 Integer Overflow or Wraparound
Publication date:
26/02/2025
Last modified:
23/09/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix qgroup reserve overflow the qgroup limit<br /> <br /> We use extent_changeset-&gt;bytes_changed in qgroup_reserve_data() to record<br /> how many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the<br /> bytes_changed is set as "unsigned int", and it will overflow if we try to<br /> fallocate a range larger than 4GiB. The result is we reserve less bytes<br /> and eventually break the qgroup limit.<br /> <br /> Unlike regular buffered/direct write, which we use one changeset for<br /> each ordered extent, which can never be larger than 256M. For<br /> fallocate, we use one changeset for the whole range, thus it no longer<br /> respects the 256M per extent limit, and caused the problem.<br /> <br /> The following example test script reproduces the problem:<br /> <br /> $ cat qgroup-overflow.sh<br /> #!/bin/bash<br /> <br /> DEV=/dev/sdj<br /> MNT=/mnt/sdj<br /> <br /> mkfs.btrfs -f $DEV<br /> mount $DEV $MNT<br /> <br /> # Set qgroup limit to 2GiB.<br /> btrfs quota enable $MNT<br /> btrfs qgroup limit 2G $MNT<br /> <br /> # Try to fallocate a 3GiB file. This should fail.<br /> echo<br /> echo "Try to fallocate a 3GiB file..."<br /> fallocate -l 3G $MNT/3G.file<br /> <br /> # Try to fallocate a 5GiB file.<br /> echo<br /> echo "Try to fallocate a 5GiB file..."<br /> fallocate -l 5G $MNT/5G.file<br /> <br /> # See we break the qgroup limit.<br /> echo<br /> sync<br /> btrfs qgroup show -r $MNT<br /> <br /> umount $MNT<br /> <br /> When running the test:<br /> <br /> $ ./qgroup-overflow.sh<br /> (...)<br /> <br /> Try to fallocate a 3GiB file...<br /> fallocate: fallocate failed: Disk quota exceeded<br /> <br /> Try to fallocate a 5GiB file...<br /> <br /> qgroupid         rfer         excl     max_rfer<br /> --------         ----         ----     --------<br /> 0/5           5.00GiB      5.00GiB      2.00GiB<br /> <br /> Since we have no control of how bytes_changed is used, it&amp;#39;s better to<br /> set it to u64.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.14.276 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.238 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.189 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.111 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.34 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.20 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 5.17.3 (excluding)
cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools