CVE-2022-49276

If an error is returned in jffs2scaneraseblock() and some memory has been added to the jffs2_summary *s, we can observe the following kmemleak report:

unreferenced object 0xffff88812b889c40 (size 64): comm "mount", pid 692, jiffies 4294838325 (age 34.288s) hex dump (first 32 bytes): 40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00 @H........1...P. 00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08 ................ backtrace: [<ffffffffae93a3a3>] __kmalloc+0x613/0x910 [<ffffffffaf423b9c>] jffs2sumadddirentmem+0x5c/0xa0 [<ffffffffb0f3afa8>] jffs2scanmedium.cold+0x36e5/0x4794 [<ffffffffb0f3dbe1>] jffs2domountfs.cold+0xa7/0x2267 [<ffffffffaf40acf3>] jffs2dofillsuper+0x383/0xc30 [<ffffffffaf40c00a>] jffs2fillsuper+0x2ea/0x4c0 [<ffffffffb0315d64>] mtdgetsb+0x254/0x400 [<ffffffffb0315f5f>] mtdgetsbbynr+0x4f/0xd0 [<ffffffffb0316478>] gettreemtd+0x498/0x840 [<ffffffffaf40bd15>] jffs2gettree+0x25/0x30 [<ffffffffae9f358d>] vfsgettree+0x8d/0x2e0 [<ffffffffaea7a98f>] pathmount+0x50f/0x1e50 [<ffffffffaea7c3d7>] domount+0x107/0x130 [<ffffffffaea7c5c5>] __sesysmount+0x1c5/0x2f0 [<ffffffffaea7c917>] _x64sysmount+0xc7/0x160 [<ffffffffb10142f5>] dosyscall64+0x45/0x70 unreferenced object 0xffff888114b54840 (size 32): comm "mount", pid 692, jiffies 4294838325 (age 34.288s) hex dump (first 32 bytes): c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00 .u.............. 00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5 ......D...kkkkk. backtrace: [<ffffffffae93be24>] kmemcachealloctrace+0x584/0x880 [<ffffffffaf423b04>] jffs2sumaddinodemem+0x54/0x90 [<ffffffffb0f3bd44>] jffs2scanmedium.cold+0x4481/0x4794 [...] unreferenced object 0xffff888114b57280 (size 32): comm "mount", pid 692, jiffies 4294838393 (age 34.357s) hex dump (first 32 bytes): 10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00 ..l............. 00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5 ..8...(...kkkkk. backtrace: [<ffffffffae93be24>] kmemcachealloctrace+0x584/0x880 [<ffffffffaf423c34>] jffs2sumaddxattrmem+0x54/0x90 [<ffffffffb0f3a24f>] jffs2scanmedium.cold+0x298c/0x4794 [...] unreferenced object 0xffff8881116cd510 (size 16): comm "mount", pid 692, jiffies 4294838395 (age 34.355s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5 ..........`...k. backtrace: [<ffffffffae93be24>] kmemcachealloctrace+0x584/0x880 [<ffffffffaf423cc4>] jffs2sumaddxrefmem+0x54/0x90 [<ffffffffb0f3b2e3>] jffs2scanmedium.cold+0x3a20/0x4794

[...]

Therefore, we should call jffs2sumresetcollected(s) on exit to release the memory added in s. In addition, a new tag "outbuf" is added to prevent the NULL pointer reference caused by s being NULL. (thanks to Zhang Yi for this analysis)

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49276.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e631ddba588783edd521c5a89f7b2902772fb691

Fixed

9b0c69182f09b70779817af4dcf89780955d5c4c

Fixed

b36bccb04e14cc0c1e2d0e92d477fe220314fad6

Fixed

e711913463af916d777a4873068f415f1fe2ad33

Fixed

455f4a23490bfcbedc8e5c245c463a59b19e5ddd

Fixed

51dbb5e36d59f62e34d462b801c1068248149cfe

Fixed

52ba0ab4f0a606f02a6163493378989faa1ec10a

Fixed

b26bbc0c122cad038831f226a4cb4de702225e16

Fixed

82462324bf35b6b553400af1c1aa265069cee28f

Fixed

9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49276.json"