CVE-2022-49707

In the Linux kernel, the following vulnerability has been resolved:

ext4: add reserved GDT blocks check

We capture a NULL pointer issue when resizing a corrupt ext4 image which is freshly clear resizeinode feature (not run e2fsck). It could be simply reproduced by following steps. The problem is because of the resizeinode feature was cleared, and it will convert the filesystem to metabg mode in ext4resizefs(), but the es->sreservedgdtblocks was not reduced to zero, so could we mistakenly call reservebackupgdb() and passing an uninitialized resize_inode to it when adding new group descriptors.

mkfs.ext4 /dev/sda 3G tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck mount /dev/sda /mnt resize2fs /dev/sda 8G

======== BUG: kernel NULL pointer dereference, address: 0000000000000028 CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748 ... RIP: 0010:ext4flexgroupadd+0xe08/0x2570 ... Call Trace: <TASK> ext4resize_fs+0xbec/0x1660 __ext4ioctl+0x1749/0x24e0 ext4ioctl+0x12/0x20 __x64sysioctl+0xa6/0x110 dosyscall64+0x3b/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f2dd739617b ========

The fix is simple, add a check in ext4resizebegin() to make sure that the es->sreservedgdtblocks is zero when the resizeinode feature is disabled.