CVE-2022-49349

In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_rename_dir_prepare We got issue as follows: EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478 ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000 ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae ================================================================== BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220 Read of size 4 at addr ffff88810beee6ae by task rep/1895 CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241 Call Trace: dump_stack+0xbe/0xf9 print_address_description.constprop.0+0x1e/0x220 kasan_report.cold+0x37/0x7f ext4_rename_dir_prepare+0x152/0x220 ext4_rename+0xf44/0x1ad0 ext4_rename2+0x11c/0x170 vfs_rename+0xa84/0x1440 do_renameat2+0x683/0x8f0 __x64_sys_renameat+0x53/0x60 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f45a6fc41c9 RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9 RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005 RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080 R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0 R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee flags: 0x200000000000000() raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Disabling lock debugging due to kernel taint ext4_rename_dir_prepare: [2] parent_de->inode=3537895424 ext4_rename_dir_prepare: [3] dir=0xffff888124170140 ext4_rename_dir_prepare: [4] ino=2 ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872 Reason is first directory entry which 'rec_len' is 34478, then will get illegal parent entry. Now, we do not check directory entry after read directory block in 'ext4_get_first_dir_block'. To solve this issue, check directory entry in 'ext4_get_first_dir_block'. [ Trigger an ext4_error() instead of just warning if the directory is missing a '.' or '..' entry. Also make sure we return an error code if the file system is corrupted. -TYT ]

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0be698ecbe4471fcad80e81ec6a05001421041b3	Patch
https://git.kernel.org/stable/c/0ff38b99fa075ddd246487a28cb9af049f4ceef1	Patch
https://git.kernel.org/stable/c/10801095224de0d0ab06ae60698680c1f883a3ae	Patch
https://git.kernel.org/stable/c/1a3a15bf6f9963d755270cbdb282863b84839195	Patch
https://git.kernel.org/stable/c/364380c00912bed9b5d99eb485018360b0ecf64f	Patch
https://git.kernel.org/stable/c/4a2bea60cf7ff957b3eda0b17750d483876a02fa	Patch
https://git.kernel.org/stable/c/97f802a652a749422dede32071d29a53cf4bd034	Patch
https://git.kernel.org/stable/c/dd887f83ea54aea5b780a84527e23ab95f777fed	Patch
https://git.kernel.org/stable/c/eaecf7ebfd5dd09038a80b14be46b844f54cfc5c	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

25 Mar 2025, 14:51

Type	Values Removed	Values Added
First Time		Linux Linux linux Kernel
CPE		cpe:2.3:o:linux:linux_kernel::::::::
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: se corrige el use-after-free en ext4_rename_dir_prepare Tuvimos el siguiente problema: EXT4-fs (loop0): sistema de archivos montado sin diario. Opciones: ,errores=continuar ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478 ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000 ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae =================================================================== ERROR: KASAN: use-after-free en ext4_rename_dir_prepare+0x152/0x220 Lectura de tamaño 4 en la dirección ffff88810beee6ae por tarea rep/1895 CPU: 13 PID: 1895 Comm: rep No contaminado 5.10.0+ #241 Seguimiento de llamadas: dump_stack+0xbe/0xf9 print_address_description.constprop.0+0x1e/0x220 kasan_report.cold+0x37/0x7f ext4_rename_dir_prepare+0x152/0x220 ext4_rename+0xf44/0x1ad0 ext4_rename2+0x11c/0x170 vfs_rename+0xa84/0x1440 do_renameat2+0x683/0x8f0 __x64_sys_renameat+0x53/0x60 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f45a6fc41c9 RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108 RAX: ffffffffffffffda RBX: 000000000000000 RCX: 00007f45a6fc41c9 RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005 RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080 R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0 R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000 La dirección con errores pertenece a la página: page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee flags: 0x200000000000000() raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000 raw: 000000000000001 000000000000000 00000000ffffffff 000000000000000 página volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la dirección con errores: ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ====================================================================== Desactivar bloqueo depuración debido a la corrupción del kernel ext4_rename_dir_prepare: [2] parent_de->inode=3537895424 ext4_rename_dir_prepare: [3] dir=0xffff888124170140 ext4_rename_dir_prepare: [4] ino=2 ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872 El motivo es que la primera entrada del directorio cuyo 'rec_len' es 34478, obtendrá una entrada principal ilegal. Ahora, no verificamos la entrada del directorio después de leer el bloque del directorio en 'ext4_get_first_dir_block'. Para resolver este problema, verifique la entrada del directorio en 'ext4_get_first_dir_block'. [ Active un ext4_error() en lugar de solo advertir si al directorio le falta una entrada '.' o '..'. También asegúrese de que devolvamos un código de error si el sistema de archivos está dañado. -¡ ...
References	~~() https://git.kernel.org/stable/c/0be698ecbe4471fcad80e81ec6a05001421041b3 -~~	() https://git.kernel.org/stable/c/0be698ecbe4471fcad80e81ec6a05001421041b3 - Patch
References	~~() https://git.kernel.org/stable/c/0ff38b99fa075ddd246487a28cb9af049f4ceef1 -~~	() https://git.kernel.org/stable/c/0ff38b99fa075ddd246487a28cb9af049f4ceef1 - Patch
References	~~() https://git.kernel.org/stable/c/10801095224de0d0ab06ae60698680c1f883a3ae -~~	() https://git.kernel.org/stable/c/10801095224de0d0ab06ae60698680c1f883a3ae - Patch
References	~~() https://git.kernel.org/stable/c/1a3a15bf6f9963d755270cbdb282863b84839195 -~~	() https://git.kernel.org/stable/c/1a3a15bf6f9963d755270cbdb282863b84839195 - Patch
References	~~() https://git.kernel.org/stable/c/364380c00912bed9b5d99eb485018360b0ecf64f -~~	() https://git.kernel.org/stable/c/364380c00912bed9b5d99eb485018360b0ecf64f - Patch
References	~~() https://git.kernel.org/stable/c/4a2bea60cf7ff957b3eda0b17750d483876a02fa -~~	() https://git.kernel.org/stable/c/4a2bea60cf7ff957b3eda0b17750d483876a02fa - Patch
References	~~() https://git.kernel.org/stable/c/97f802a652a749422dede32071d29a53cf4bd034 -~~	() https://git.kernel.org/stable/c/97f802a652a749422dede32071d29a53cf4bd034 - Patch
References	~~() https://git.kernel.org/stable/c/dd887f83ea54aea5b780a84527e23ab95f777fed -~~	() https://git.kernel.org/stable/c/dd887f83ea54aea5b780a84527e23ab95f777fed - Patch
References	~~() https://git.kernel.org/stable/c/eaecf7ebfd5dd09038a80b14be46b844f54cfc5c -~~	() https://git.kernel.org/stable/c/eaecf7ebfd5dd09038a80b14be46b844f54cfc5c - Patch

27 Feb 2025, 19:15

Type	Values Removed	Values Added
CWE		CWE-416
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

26 Feb 2025, 07:01

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-26 07:01

Updated : 2025-03-25 14:51

NVD link : CVE-2022-49349

Mitre link : CVE-2022-49349

CVE.ORG link : CVE-2022-49349

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10