CVE-2022-50344

Summary

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix null-ptr-deref in ext4_write_info

I caught a null-ptr-deref bug as follows:

KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339 RIP: 0010:ext4_write_info+0x53/0x1b0 […] Call Trace: dquot_writeback_dquots+0x341/0x9a0 ext4_sync_fs+0x19e/0x800 __sync_filesystem+0x83/0x100 sync_filesystem+0x89/0xf0 generic_shutdown_super+0x79/0x3e0 kill_block_super+0xa1/0x110 deactivate_locked_super+0xac/0x130 deactivate_super+0xb6/0xd0 cleanup_mnt+0x289/0x400 __cleanup_mnt+0x16/0x20 task_work_run+0x11c/0x1c0 exit_to_user_mode_prepare+0x203/0x210 syscall_exit_to_user_mode+0x5b/0x3a0 do_syscall_64+0x59/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Above issue may happen as follows:

exit_to_user_mode_prepare task_work_run __cleanup_mnt cleanup_mnt deactivate_super deactivate_locked_super kill_block_super generic_shutdown_super shrink_dcache_for_umount dentry = sb->s_root sb->s_root = NULL <— Here set NULL sync_filesystem __sync_filesystem sb->s_op->sync_fs > ext4_sync_fs dquot_writeback_dquots sb->dq_op->write_info > ext4_write_info ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2) d_inode(sb->s_root) s_root->d_inode <— Null pointer dereference

To solve this problem, we use ext4_journal_start_sb directly to avoid s_root being used.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < dc451578446afd03c0c21913993c08898a691435affected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < f4b5ff0b794aa94afac7269c494550ca2f66511baffected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < 947264e00c46de19a016fd81218118c708fed2f3affected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < 3638aa1c7d87c0ca0aef23cf58cae2c48e7daca4affected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < f34ab95162763cd7352f46df169296eec28b688daffected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < 533c60a0b97cee5daab376933f486207e6680fb7affected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < 4a657319cfabd6199fd0b7b65bbebf6ded7a11c1affected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < bb420e8afc854d2a1caaa23a0c129839acfb7888affected
LinuxLinuxa1177825719ccef3f76ef39bbfd5ebb6087d53c7 < f9c1f248607d5546075d3f731e7607d5571f2b60affected
LinuxLinux3.6affected
LinuxLinux0 < 3.6unaffected
LinuxLinux4.9.331 <= 4.9.*unaffected
LinuxLinux4.14.296 <= 4.14.*unaffected
LinuxLinux4.19.262 <= 4.19.*unaffected
LinuxLinux5.4.220 <= 5.4.*unaffected
LinuxLinux5.10.150 <= 5.10.*unaffected
LinuxLinux5.15.75 <= 5.15.*unaffected
LinuxLinux5.19.17 <= 5.19.*unaffected
LinuxLinux6.0.3 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References