CVE-2022-49707

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49707
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49707.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49707
Related
Published
2025-02-26T07:01:46Z
Modified
2025-03-12T00:50:02.434716Z
Downstream
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: add reserved GDT blocks check

We capture a NULL pointer issue when resizing a corrupt ext4 image which is freshly clear resizeinode feature (not run e2fsck). It could be simply reproduced by following steps. The problem is because of the resizeinode feature was cleared, and it will convert the filesystem to metabg mode in ext4resizefs(), but the es->sreservedgdtblocks was not reduced to zero, so could we mistakenly call reservebackupgdb() and passing an uninitialized resize_inode to it when adding new group descriptors.

mkfs.ext4 /dev/sda 3G tune2fs -O ^resize_inode /dev/sda #forget to run requested e2fsck mount /dev/sda /mnt resize2fs /dev/sda 8G

======== BUG: kernel NULL pointer dereference, address: 0000000000000028 CPU: 19 PID: 3243 Comm: resize2fs Not tainted 5.18.0-rc7-00001-gfde086c5ebfd #748 ... RIP: 0010:ext4flexgroupadd+0xe08/0x2570 ... Call Trace: <TASK> ext4resizefs+0xbec/0x1660 _ext4ioctl+0x1749/0x24e0 ext4ioctl+0x12/0x20 _x64sysioctl+0xa6/0x110 dosyscall64+0x3b/0x90 entrySYSCALL64after_hwframe+0x44/0xae RIP: 0033:0x7f2dd739617b ========

The fix is simple, add a check in ext4resizebegin() to make sure that the es->sreservedgdtblocks is zero when the resizeinode feature is disabled.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.127-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}