Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50126

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: fix assertion &amp;#39;jh-&gt;b_frozen_data == NULL&amp;#39; failure when journal aborted<br /> <br /> Following process will fail assertion &amp;#39;jh-&gt;b_frozen_data == NULL&amp;#39; in<br /> jbd2_journal_dirty_metadata():<br /> <br /> jbd2_journal_commit_transaction<br /> unlink(dir/a)<br /> jh-&gt;b_transaction = trans1<br /> jh-&gt;b_jlist = BJ_Metadata<br /> journal-&gt;j_running_transaction = NULL<br /> trans1-&gt;t_state = T_COMMIT<br /> unlink(dir/b)<br /> handle-&gt;h_trans = trans2<br /> do_get_write_access<br /> jh-&gt;b_modified = 0<br /> jh-&gt;b_frozen_data = frozen_buffer<br /> jh-&gt;b_next_transaction = trans2<br /> jbd2_journal_dirty_metadata<br /> is_handle_aborted<br /> is_journal_aborted // return false<br /> <br /> --&gt; jbd2 abort t_buffers)<br /> if (is_journal_aborted)<br /> jbd2_journal_refile_buffer<br /> __jbd2_journal_refile_buffer<br /> WRITE_ONCE(jh-&gt;b_transaction,<br /> jh-&gt;b_next_transaction)<br /> WRITE_ONCE(jh-&gt;b_next_transaction, NULL)<br /> __jbd2_journal_file_buffer(jh, BJ_Reserved)<br /> J_ASSERT_JH(jh, jh-&gt;b_frozen_data == NULL) // assertion failure !<br /> <br /> The reproducer (See detail in [Link]) reports:<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/jbd2/transaction.c:1629!<br /> invalid opcode: 0000 [#1] PREEMPT SMP<br /> CPU: 2 PID: 584 Comm: unlink Tainted: G W<br /> 5.19.0-rc6-00115-g4a57a8400075-dirty #697<br /> RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470<br /> RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202<br /> Call Trace:<br /> <br /> __ext4_handle_dirty_metadata+0xa0/0x290<br /> ext4_handle_dirty_dirblock+0x10c/0x1d0<br /> ext4_delete_entry+0x104/0x200<br /> __ext4_unlink+0x22b/0x360<br /> ext4_unlink+0x275/0x390<br /> vfs_unlink+0x20b/0x4c0<br /> do_unlinkat+0x42f/0x4c0<br /> __x64_sys_unlink+0x37/0x50<br /> do_syscall_64+0x35/0x80<br /> <br /> After journal aborting, __jbd2_journal_refile_buffer() is executed with<br /> holding @jh-&gt;b_state_lock, we can fix it by moving &amp;#39;is_handle_aborted()&amp;#39;<br /> into the area protected by @jh-&gt;b_state_lock.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.20 (including) 4.14.291 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.256 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.211 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.137 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.61 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.18.18 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 5.19.2 (excluding)
cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.19:rc6:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools