CVE-2022-49276

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49276
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49276.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49276
Related
Published
2025-02-26T07:01:04Z
Modified
2025-04-14T18:45:26.379486Z
Downstream
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

jffs2: fix memory leak in jffs2scanmedium

If an error is returned in jffs2scaneraseblock() and some memory has been added to the jffs2_summary *s, we can observe the following kmemleak report:

unreferenced object 0xffff88812b889c40 (size 64): comm "mount", pid 692, jiffies 4294838325 (age 34.288s) hex dump (first 32 bytes): 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P. 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................ backtrace: [<ffffffffae93a3a3>] _kmalloc+0x613/0x910 [<ffffffffaf423b9c>] jffs2sumadddirentmem+0x5c/0xa0 [<ffffffffb0f3afa8>] jffs2scanmedium.cold+0x36e5/0x4794 [<ffffffffb0f3dbe1>] jffs2domountfs.cold+0xa7/0x2267 [<ffffffffaf40acf3>] jffs2dofillsuper+0x383/0xc30 [<ffffffffaf40c00a>] jffs2fillsuper+0x2ea/0x4c0 [<ffffffffb0315d64>] mtdgetsb+0x254/0x400 [<ffffffffb0315f5f>] mtdgetsbbynr+0x4f/0xd0 [<ffffffffb0316478>] gettreemtd+0x498/0x840 [<ffffffffaf40bd15>] jffs2gettree+0x25/0x30 [<ffffffffae9f358d>] vfsgettree+0x8d/0x2e0 [<ffffffffaea7a98f>] pathmount+0x50f/0x1e50 [<ffffffffaea7c3d7>] domount+0x107/0x130 [<ffffffffaea7c5c5>] _sesysmount+0x1c5/0x2f0 [<ffffffffaea7c917>] _x64sysmount+0xc7/0x160 [<ffffffffb10142f5>] dosyscall64+0x45/0x70 unreferenced object 0xffff888114b54840 (size 32): comm "mount", pid 692, jiffies 4294838325 (age 34.288s) hex dump (first 32 bytes): c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u.............. 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk. backtrace: [<ffffffffae93be24>] kmemcachealloctrace+0x584/0x880 [<ffffffffaf423b04>] jffs2sumaddinodemem+0x54/0x90 [<ffffffffb0f3bd44>] jffs2scanmedium.cold+0x4481/0x4794 [...] unreferenced object 0xffff888114b57280 (size 32): comm "mount", pid 692, jiffies 4294838393 (age 34.357s) hex dump (first 32 bytes): 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l............. 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk. backtrace: [<ffffffffae93be24>] kmemcachealloctrace+0x584/0x880 [<ffffffffaf423c34>] jffs2sumaddxattrmem+0x54/0x90 [<ffffffffb0f3a24f>] jffs2scanmedium.cold+0x298c/0x4794 [...] unreferenced object 0xffff8881116cd510 (size 16): comm "mount", pid 692, jiffies 4294838395 (age 34.355s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k. backtrace: [<ffffffffae93be24>] kmemcachealloctrace+0x584/0x880 [<ffffffffaf423cc4>] jffs2sumaddxrefmem+0x54/0x90 [<ffffffffb0f3b2e3>] jffs2scanmedium.cold+0x3a20/0x4794

[...]

Therefore, we should call jffs2sumresetcollected(s) on exit to release the memory added in s. In addition, a new tag "outbuf" is added to prevent the NULL pointer reference caused by s being NULL. (thanks to Zhang Yi for this analysis)

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.113-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}