CVE-2022-50367

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs: fix UAF/GPF bug in nilfs_mdt_destroy

In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF).

Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < d1ff475d7c83289d0a7faef346ea3bbf90818badaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < c0aa76b0f17f59dd9c9d3463550a2986a1d592e4affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ec2aab115eb38ac4992ea2fcc2a02fbe7af5cf48affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 70e4f70d54e0225f91814e8610477d65f33cefe4affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1e555c3ed1fce4b278aaebe18a64a934cece57d8affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 64b79e632869ad3ef6c098a4731d559381da1115affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 81de80330fa6907aec32eb54c5619059e6e36452affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2a96b532098284ecf8e4849b8b9e5fc7a28bdee9affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2e488f13755ffbb60f307e991b27024716a33b29affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux4.9.331 <= 4.9.*unaffected
LinuxLinux4.14.296 <= 4.14.*unaffected
LinuxLinux4.19.262 <= 4.19.*unaffected
LinuxLinux5.4.218 <= 5.4.*unaffected
LinuxLinux5.10.148 <= 5.10.*unaffected
LinuxLinux5.15.73 <= 5.15.*unaffected
LinuxLinux5.19.15 <= 5.19.*unaffected
LinuxLinux6.0.1 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References