CVE-2022-49707

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49707

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49707.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-49707

Related

UBUNTU-CVE-2022-49707

Published

2025-02-26T07:01:46Z

Modified

2025-03-12T00:50:02.434716Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: add reserved GDT blocks check

We capture a NULL pointer issue when resizing a corrupt ext4 image which is freshly clear resizeinode feature (not run e2fsck). It could be simply reproduced by following steps. The problem is because of the resizeinode feature was cleared, and it will convert the filesystem to metabg mode in ext4resizefs(), but the es->sreservedgdtblocks was not reduced to zero, so could we mistakenly call reservebackupgdb() and passing an uninitialized resize_inode to it when adding new group descriptors.

mkfs.ext4 /dev/sda 3G tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck mount /dev/sda /mnt resize2fs /dev/sda 8G

======== BUG: kernel NULL pointer dereference, address: 0000000000000028 CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748 ... RIP: 0010:ext4flexgroupadd+0xe08/0x2570 ... Call Trace: <TASK> ext4resizefs+0xbec/0x1660 _ext4ioctl+0x1749/0x24e0 ext4ioctl+0x12/0x20 _x64sysioctl+0xa6/0x110 dosyscall64+0x3b/0x90 entrySYSCALL64after_hwframe+0x44/0xae RIP: 0033:0x7f2dd739617b ========

The fix is simple, add a check in ext4resizebegin() to make sure that the es->sreservedgdtblocks is zero when the resizeinode feature is disabled.

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.127-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}