cve/published/2022/CVE-2022-49282.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-49282: f2fs: quota: fix loop condition at f2fs_quota_sync()

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

f2fs: quota: fix loop condition at f2fs_quota_sync()

cnt should be passed to sb_has_quota_active() instead of type to check
active quota properly.

Moreover, when the type is -1, the compiler with enough inline knowledge
can discard sb_has_quota_active() check altogether, causing a NULL pointer
dereference at the following inode_lock(dqopt->files[cnt]):

[    2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[    2.796024] Mem abort info:
[    2.796025]   ESR = 0x96000005
[    2.796028]   EC = 0x25: DABT (current EL), IL = 32 bits
[    2.796029]   SET = 0, FnV = 0
[    2.796031]   EA = 0, S1PTW = 0
[    2.796032] Data abort info:
[    2.796034]   ISV = 0, ISS = 0x00000005
[    2.796035]   CM = 0, WnR = 0
[    2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000
[    2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000
[    2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[    2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S                5.4.179-arter97-r8-64666-g2f16e087f9d8 #1
[    2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT)
[    2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO)
[    2.796065] pc : down_write+0x28/0x70
[    2.796070] lr : f2fs_quota_sync+0x100/0x294
[    2.796071] sp : ffffffa3f48ffc30
[    2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000
[    2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80
[    2.796077] x25: ffffffa3f7290048 x24: 0000000000000001
[    2.796078] x23: 0000000000000000 x22: ffffffa3f7290000
[    2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110
[    2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038
[    2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0
[    2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0
[    2.796086] x13: 00000000000004f6 x12: 00162c44ff493000
[    2.796088] x11: 0000000000000400 x10: ffffffa40e38c948
[    2.796090] x9 : 0000000000000000 x8 : 00000000000000a0
[    2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a
[    2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d
[    2.796094] x3 : 00000000060c0000 x2 : 0000000000000001
[    2.796096] x1 : 0000000000000000 x0 : 00000000000000a0
[    2.796098] Call trace:
[    2.796100]  down_write+0x28/0x70
[    2.796102]  f2fs_quota_sync+0x100/0x294
[    2.796104]  block_operations+0x120/0x204
[    2.796106]  f2fs_write_checkpoint+0x11c/0x520
[    2.796107]  __checkpoint_and_complete_reqs+0x7c/0xd34
[    2.796109]  issue_checkpoint_thread+0x6c/0xb8
[    2.796112]  kthread+0x138/0x414
[    2.796114]  ret_from_fork+0x10/0x18
[    2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02)
[    2.796120] ---[ end trace 96e942e8eb6a0b53 ]---
[    2.800116] Kernel panic - not syncing: Fatal exception
[    2.800120] SMP: stopping secondary CPUs

The Linux kernel CVE team has assigned CVE-2022-49282 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4.148 with commit a02982545e61020c23f411b073ba5171381138e4 and fixed in 5.4.189 with commit f1d5946d47c0827bae39e1537959ce8d6f0224c5
	Issue introduced in 5.10.67 with commit 2d586a3f5b7ec2f5a939db4abc9aa053c237545c and fixed in 5.10.110 with commit e58ee6bd939b773675240f5d0f5b88a367c037c4
	Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.15.33 with commit f9156db0987f1b426015d56505e2c58dee70c90d
	Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.16.19 with commit e9ebf1e8fc50b6a9336f9aea1082d7845e568d0e
	Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.17.2 with commit 724469814d805820cd37ea789769dba94123ff1a
	Issue introduced in 5.15 with commit 9de71ede81e6d1a111fdd868b2d78d459fa77f80 and fixed in 5.18 with commit 680af5b824a52faa819167628665804a14f0e0df
	Issue introduced in 5.13.19 with commit 9dd5052a8a8be252990c1bb451b51f32529411ef
	Issue introduced in 5.14.6 with commit 699a077aa087c17cf29c7170db71a34141e2effe

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49282
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/f2fs/super.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/f1d5946d47c0827bae39e1537959ce8d6f0224c5
	https://git.kernel.org/stable/c/e58ee6bd939b773675240f5d0f5b88a367c037c4
	https://git.kernel.org/stable/c/f9156db0987f1b426015d56505e2c58dee70c90d
	https://git.kernel.org/stable/c/e9ebf1e8fc50b6a9336f9aea1082d7845e568d0e
	https://git.kernel.org/stable/c/724469814d805820cd37ea789769dba94123ff1a
	https://git.kernel.org/stable/c/680af5b824a52faa819167628665804a14f0e0df