Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2022 / CVE-2022-49409.json
blob: fd0831f98760701887a7536d07e2c39916705a53 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix bug_on in __es_tree_search\n\nHulk Robot reported a BUG_ON:\n==================================================================\nkernel BUG at fs/ext4/extents_status.c:199!\n[...]\nRIP: 0010:ext4_es_end fs/ext4/extents_status.c:199 [inline]\nRIP: 0010:__es_tree_search+0x1e0/0x260 fs/ext4/extents_status.c:217\n[...]\nCall Trace:\n ext4_es_cache_extent+0x109/0x340 fs/ext4/extents_status.c:766\n ext4_cache_extents+0x239/0x2e0 fs/ext4/extents.c:561\n ext4_find_extent+0x6b7/0xa20 fs/ext4/extents.c:964\n ext4_ext_map_blocks+0x16b/0x4b70 fs/ext4/extents.c:4384\n ext4_map_blocks+0xe26/0x19f0 fs/ext4/inode.c:567\n ext4_getblk+0x320/0x4c0 fs/ext4/inode.c:980\n ext4_bread+0x2d/0x170 fs/ext4/inode.c:1031\n ext4_quota_read+0x248/0x320 fs/ext4/super.c:6257\n v2_read_header+0x78/0x110 fs/quota/quota_v2.c:63\n v2_check_quota_file+0x76/0x230 fs/quota/quota_v2.c:82\n vfs_load_quota_inode+0x5d1/0x1530 fs/quota/dquot.c:2368\n dquot_enable+0x28a/0x330 fs/quota/dquot.c:2490\n ext4_quota_enable fs/ext4/super.c:6137 [inline]\n ext4_enable_quotas+0x5d7/0x960 fs/ext4/super.c:6163\n ext4_fill_super+0xa7c9/0xdc00 fs/ext4/super.c:4754\n mount_bdev+0x2e9/0x3b0 fs/super.c:1158\n mount_fs+0x4b/0x1e4 fs/super.c:1261\n[...]\n==================================================================\n\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\n ext4_enable_quotas\n ext4_quota_enable\n ext4_iget\n __ext4_iget\n ext4_ext_check_inode\n ext4_ext_check\n __ext4_ext_check\n ext4_valid_extent_entries\n Check for overlapping extents does't take effect\n dquot_enable\n vfs_load_quota_inode\n v2_check_quota_file\n v2_read_header\n ext4_quota_read\n ext4_bread\n ext4_getblk\n ext4_map_blocks\n ext4_ext_map_blocks\n ext4_find_extent\n ext4_cache_extents\n ext4_es_cache_extent\n ext4_es_cache_extent\n __es_tree_search\n ext4_es_end\n BUG_ON(es->es_lblk + es->es_len < es->es_lblk)\n\nThe error ext4 extents is as follows:\n0af3 0300 0400 0000 00000000 extent_header\n00000000 0100 0000 12000000 extent1\n00000000 0100 0000 18000000 extent2\n02000000 0400 0000 14000000 extent3\n\nIn the ext4_valid_extent_entries function,\nif prev is 0, no error is returned even if lblock<=prev.\nThis was intended to skip the check on the first extent, but\nin the error image above, prev=0+1-1=0 when checking the second extent,\nso even though lblock<=prev, the function does not return an error.\nAs a result, bug_ON occurs in __es_tree_search and the system panics.\n\nTo solve this problem, we only need to check that:\n1. The lblock of the first extent is not less than 0.\n2. The lblock of the next extent is not less than\n the next block of the previous extent.\nThe same applies to extent_idx."
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/ext4/extents.c"
],
"versions": [
{
"version": "5946d089379a35dda0e531710b48fca05446a196",
"lessThan": "d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f",
"status": "affected",
"versionType": "git"
},
{
"version": "5946d089379a35dda0e531710b48fca05446a196",
"lessThan": "4fd58b5cf118d2d9038a0b8c9cc0e43096297686",
"status": "affected",
"versionType": "git"
},
{
"version": "5946d089379a35dda0e531710b48fca05446a196",
"lessThan": "3c617827cd51018bc377bd2954e176920ddbcfad",
"status": "affected",
"versionType": "git"
},
{
"version": "5946d089379a35dda0e531710b48fca05446a196",
"lessThan": "59cf2fabbfe76de29d88dd7ae69858a25735b59f",
"status": "affected",
"versionType": "git"
},
{
"version": "5946d089379a35dda0e531710b48fca05446a196",
"lessThan": "ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a",
"status": "affected",
"versionType": "git"
},
{
"version": "5946d089379a35dda0e531710b48fca05446a196",
"lessThan": "d36f6ed761b53933b0b4126486c10d3da7751e7f",
"status": "affected",
"versionType": "git"
},
{
"version": "4645e4ee32aee01a85bdc03348982a65c65ce216",
"status": "affected",
"versionType": "git"
},
{
"version": "a1192c0e5d037def6763f3873d3340615c241fe7",
"status": "affected",
"versionType": "git"
},
{
"version": "ae21dda05193c441bde106a4bbf88c185a68fbed",
"status": "affected",
"versionType": "git"
},
{
"version": "ea214c946ee77588c4313be3e9951edd25d6b270",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"fs/ext4/extents.c"
],
"versions": [
{
"version": "3.13",
"status": "affected"
},
{
"version": "0",
"lessThan": "3.13",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.277",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.121",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.46",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.17.14",
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.18.3",
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.19",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13",
"versionEndExcluding": "5.4.277"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13",
"versionEndExcluding": "5.10.121"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13",
"versionEndExcluding": "5.15.46"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13",
"versionEndExcluding": "5.17.14"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13",
"versionEndExcluding": "5.18.3"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.13",
"versionEndExcluding": "5.19"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.55"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.76"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.26"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.7"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/d0083459e2b6b07ebd78bea2fe684a19cc0f3d0f"
},
{
"url": "https://git.kernel.org/stable/c/4fd58b5cf118d2d9038a0b8c9cc0e43096297686"
},
{
"url": "https://git.kernel.org/stable/c/3c617827cd51018bc377bd2954e176920ddbcfad"
},
{
"url": "https://git.kernel.org/stable/c/59cf2fabbfe76de29d88dd7ae69858a25735b59f"
},
{
"url": "https://git.kernel.org/stable/c/ea6ea18b3ab0c0d7fefffb3c4d27df758b1c790a"
},
{
"url": "https://git.kernel.org/stable/c/d36f6ed761b53933b0b4126486c10d3da7751e7f"
}
],
"title": "ext4: fix bug_on in __es_tree_search",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2022-49409",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}